Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems: The Fifth International Symposium on Software Reliability, ... Notes in Electrical Engineering, 779) 9811634556, 9789811634550

Citation preview

Lecture Notes in Electrical Engineering 779

Yang Xu · Yongbin Sun · Yanyang Liu · Feng Gao · Pengfei Gu · Zheming Liu   Editors

Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Fifth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)

Lecture Notes in Electrical Engineering Volume 779

Series Editors Leopoldo Angrisani, Department of Electrical and Information Technologies Engineering, University of Napoli Federico II, Naples, Italy Marco Arteaga, Departament de Control y Robótica, Universidad Nacional Autónoma de México, Coyoacán, Mexico Bijaya Ketan Panigrahi, Electrical Engineering, Indian Institute of Technology Delhi, New Delhi, Delhi, India Samarjit Chakraborty, Fakultät für Elektrotechnik und Informationstechnik, TU München, Munich, Germany Jiming Chen, Zhejiang University, Hangzhou, Zhejiang, China Shanben Chen, Materials Science and Engineering, Shanghai Jiao Tong University, Shanghai, China Tan Kay Chen, Department of Electrical and Computer Engineering, National University of Singapore, Singapore, Singapore Rüdiger Dillmann, Humanoids and Intelligent Systems Laboratory, Karlsruhe Institute for Technology, Karlsruhe, Germany Haibin Duan, Beijing University of Aeronautics and Astronautics, Beijing, China Gianluigi Ferrari, Università di Parma, Parma, Italy Manuel Ferre, Centre for Automation and Robotics CAR (UPM-CSIC), Universidad Politécnica de Madrid, Madrid, Spain Sandra Hirche, Department of Electrical Engineering and Information Science, Technische Universität München, Munich, Germany Faryar Jabbari, Department of Mechanical and Aerospace Engineering, University of California, Irvine, CA, USA Limin Jia, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland Alaa Khamis, German University in Egypt El Tagamoa El Khames, New Cairo City, Egypt Torsten Kroeger, Stanford University, Stanford, CA, USA Yong Li, Hunan University, Changsha, Hunan, China Qilian Liang, Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA Ferran Martín, Departament d’Enginyeria Electrònica, Universitat Autònoma de Barcelona, Bellaterra, Barcelona, Spain Tan Cher Ming, College of Engineering, Nanyang Technological University, Singapore, Singapore Wolfgang Minker, Institute of Information Technology, University of Ulm, Ulm, Germany Pradeep Misra, Department of Electrical Engineering, Wright State University, Dayton, OH, USA Sebastian Möller, Quality and Usability Laboratory, TU Berlin, Berlin, Germany Subhas Mukhopadhyay, School of Engineering & Advanced Technology, Massey University, Palmerston North, Manawatu-Wanganui, New Zealand Cun-Zheng Ning, Electrical Engineering, Arizona State University, Tempe, AZ, USA Toyoaki Nishida, Graduate School of Informatics, Kyoto University, Kyoto, Japan Federica Pascucci, Dipartimento di Ingegneria, Università degli Studi “Roma Tre”, Rome, Italy Yong Qin, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Gan Woon Seng, School of Electrical & Electronic Engineering, Nanyang Technological University, Singapore, Singapore Joachim Speidel, Institute of Telecommunications, Universität Stuttgart, Stuttgart, Germany Germano Veiga, Campus da FEUP, INESC Porto, Porto, Portugal Haitao Wu, Academy of Opto-electronics, Chinese Academy of Sciences, Beijing, China Walter Zamboni, DIEM - Università degli studi di Salerno, Fisciano, Salerno, Italy Junjie James Zhang, Charlotte, NC, USA

The book series Lecture Notes in Electrical Engineering (LNEE) publishes the latest developments in Electrical Engineering - quickly, informally and in high quality. While original research reported in proceedings and monographs has traditionally formed the core of LNEE, we also encourage authors to submit books devoted to supporting student education and professional training in the various fields and applications areas of electrical engineering. The series cover classical and emerging topics concerning:

• • • • • • • • • • • •

Communication Engineering, Information Theory and Networks Electronics Engineering and Microelectronics Signal, Image and Speech Processing Wireless and Mobile Communication Circuits and Systems Energy Systems, Power Electronics and Electrical Machines Electro-optical Engineering Instrumentation Engineering Avionics Engineering Control Systems Internet-of-Things and Cybersecurity Biomedical Devices, MEMS and NEMS

For general information about this book series, comments or suggestions, please contact leontina. [email protected]. To submit a proposal or request further information, please contact the Publishing Editor in your country: China Jasmine Dou, Editor ([email protected]) India, Japan, Rest of Asia Swati Meherishi, Editorial Director ([email protected]) Southeast Asia, Australia, New Zealand Ramesh Nath Premnath, Editor ([email protected]) USA, Canada: Michael Luby, Senior Editor ([email protected]) All other Countries: Leontina Di Cecco, Senior Editor ([email protected]) ** This series is indexed by EI Compendex and Scopus databases. **

More information about this series at http://www.springer.com/series/7818

Yang Xu Yongbin Sun Yanyang Liu Feng Gao Pengfei Gu Zheming Liu •

•

•

•

•

Editors

Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Fifth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)

123

Editors Yang Xu Department of Engineering Physics Tsinghua University Beijing, China Yanyang Liu Nuclear Power Institute of China Chengdu, Sichuan, China Pengfei Gu China United Heavy Duty Gas Turbine Technology Co., Ltd Shanghai, China

Yongbin Sun China Techenergy Co., Ltd. Beijing, China Feng Gao China Nuclear Power Design Co., Ltd. Shenzhen, Guangdong, China Zheming Liu Product Information Committee of China Instrument and Control Society Beijing, China

ISSN 1876-1100 ISSN 1876-1119 (electronic) Lecture Notes in Electrical Engineering ISBN 978-981-16-3455-0 ISBN 978-981-16-3456-7 (eBook) https://doi.org/10.1007/978-981-16-3456-7 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

Contents

Research on Converged Wireless Communication Network Scheme in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jia Meng, Ai-Fen Liu, Xiao-Fei Deng, and Wei Wei

1

Research About Computer Based System Reliability Demonstration Methods in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dan Xu, Zhao-Lei Hao, Hua Huang, and Xiao-Ming Qian

8

Multi-ray Intelligent Monitoring System for Mixed Radiation Field Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jin-Xing Cheng, You-Peng Wu, Qing-Bo Wang, Wei-Wei Wen, Ai Yu, Rui Qiu, Yue Zhang, and Wen-Kai Zhu Basic Model Design of Online Monitoring System for Mixed Radiation Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jin-Xing Cheng, Wen-Kai Zhu, Qing-Bo Wang, Wei-Wei Wen, You-Peng Wu, and Ai Yu

14

24

Duty Ratio Restriction Strategies of Space Vector PWM for Power Amplifiers of AMBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chun-Yi Wang, Kai Zhang, and Yang Xu

30

Research and Application of 3D Real-Time Simulation Technology for Thermal and Hydraulic Mechanism in Nuclear Power Plant . . . . . . Zheng-Hui Yang, Hao Wang, and Yi Zhang

45

Research on Software Quality Evaluation Model of Instrument and Control System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . Huan-Lin Chen, Jian-Qiu Zhou, and Yan Li

55

The Security Based on Wireless Network in Nuclear Power Plant . . . . . Dong Zhang and Sheng-Yong Liao

64

v

vi

Contents

Information Fusion Analysis of Cyberattack Identification Based on D-S Evidence Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chao Guo, Jiang-Hai Li, Wen Si, and Xiao-Jin Huang

71

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ao-Di Sun and Xin-Yu Wei

84

Research on Integrated Management Technology for Physical Protection System of Nuclear Facilities . . . . . . . . . . . . . . . . . . . . . . . . . Wei-Wei Wen, Jin-Xing Cheng, You-Peng Wu, Qing-Bo Wang, Xian-Bo Chen, Lang Li, Ai Yu, and Wei Yuan

97

Calculation and Selection of Cross-Sectional Area of Instrumentation and Control Cable Core . . . . . . . . . . . . . . . . . . . . . . 106 Xiao-Yu Liu and Xin-Nian Huang The Formulation of BOP Auxiliary System Centralized Control Network in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Xiao-Feng Li, Zhi-Yin Liu, Lei Jiang, Heng Li, and Zhou Xiao An AHP-Fuzzy Complex Evaluation Method for MCR Human Factors Engineering Verification and Validation . . . . . . . . . . . . . . . . . . 123 Yuan Gao and Yi-Wei Ma Research on Control Strategy of Nuclear Island Ventilation Systems in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Zhou Xiao, Heng Li, Li-Ming Zhang, Xin Du, and Hua-Qing Peng The Safety Function Design Improvement of Circulation Water Filter System in CPR1000 Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Lei Jiang and Hui Wang A Study About Unit Testing for Embedded Software of Control System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Wang Xi, Wei Liu, Tao Bai, and Ji Shi Design of Defence in Depth for I&C System in Pressurized Water Reactor Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Tao Fu, Gong-Jie Li, and Li-Ming Zhang Test Analysis About Hydrogen Detection Equipment Under Severe Accident in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Dan Xu, Zhou Xiao, Ya-Jie Tian, and Xiao-Ming Qian Research of Advanced Control Algorithm in Primary Loop Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Zhi-Guang Deng, Bi-Wei Zhu, Qian Wu, Peng He, Mei-Qiong Xiang, Tao Xu, and Yue Qing

Contents

vii

Research of SSAE-GPC in Coordinated Control System of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Zhi-Guang Deng, Qian Wu, Bi-Wei Zhu, Xin Lv, Jia-Liang Zhu, Si-Jie Xu, and Xue-Mei Wang Reliability Verification Scheme for Safety Class DCS and Its Implementation in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . 216 Ming-ming Liu, Yang Chen, Xian-jian He, and Biao Xu An Ergonomic Analysis of Main Control Room Console in Nuclear Power Plant Based on Jack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Yu-Tong Li, Ming-Ming Liu, Qing-Huai Huang, Nan Gao, Guan-Ron Liu, and Mao Zhou Verification Method and Basic Guarantee of RPS Availability in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Xian-Jian He, Ming-Ming Liu, Qing Zhang, Xiao-Jun Luo, and Jing Wen Design Method of Human-Computer Interactive Interface of MTS Based on DCS of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . 247 Li-Jun Dang, Jun Huang, and Qi Ye Formally Verified a Front-End of the Trusted Code Generator for Safety I&C Software of NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Lin Lan, Quan Ma, Rong-Bin Hou, Wei Jiang, Ming-Xing Liu, Fei Yang, and Yong Li Design of Emulation System for Safety DCS . . . . . . . . . . . . . . . . . . . . . 273 Hao Peng, Xu Zhang, Zhi-Guang Deng, Qi Chen, Yu Zhang, and Wei Jiang Trusted Algorithm Compiler for Safety I&C Software of NPPs Based on Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Fei Yang, Lin Lan, Quan Ma, Wen-Xing Han, Ming-Xing Liu, and Wei Jiang Design and Implementation of Translation-Based Virtual DCS Based on Simulink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Xu Zhang, Zhi-Guang Deng, Quan Ma, and Ming-Ming Liu Testing Verification of Pressurizer Control in Nuclear Power Plant Based on Comparative Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Xu Zhang, Zhi-Guang Deng, Hao Peng, and Qi Chen Optical Fiber Communication and Wireless Communication Technology Oriented to Internet of Things . . . . . . . . . . . . . . . . . . . . . . 316 Xiao-Chen Yang, Zhen-Yu Yan, Zeng-Jun Chun, and Lai-Long Zou

viii

Contents

Research on Reliability Design of PROFIBUS Fieldbus System in Conventional Island of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . 332 Xin- Nian Huang, Heng Li, Xiu-Sen Chen, and Xiao-Yu Liu Research and Practice of Design Process (Knowledge) Reuse in the Data State Environment of Nuclear Power Design Company . . . . 341 Jing Ma, Wei-Qi Dai, and Wei-Jian Lei Study on the Feedwater Control of the Once-Through Steam Generator in the Sodium-Cooled Fast Reactor (SFR) . . . . . . . . . . . . . . . 354 Wen Jiao, Xin-Yu Wei, Pei-Wei Sun, and Xian-Shan Zhang Design and Improvement for c Dose-Rate Monitor System of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Liang Li, Jin Fan, Yue Zhang, and Wei-jie Huang Discussion on the Software V&V Technology in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Hui-Hui Liang, Wang-Ping Ye, Wei Liu, and Jian-Zhong Tang Research and Application of RPN Key Technologies in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Ya-Jie Tian, Tian-You Li, Zhen-Yu Shen, Hua-Qing Peng, Rui Zhang, Li Zeng, Jing Shang, and Jing Li Design of Intelligent Test System for RPI in Nuclear Power Plant . . . . . 400 Qian Wu, Na Sun, and Rui-Ping Zhang Documentation Verification Based on Natural Language Processing for Safety-Critical Digital I&C System in NPP . . . . . . . . . . . . . . . . . . . . 411 Tao Bai, Xin-Sheng Yang, Ji Shi, and Hua-Qing Peng Software Quality Evaluation of Non-safety Digital I&C System in NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Wang-Ping Ye Preliminary Study on Improving the Automation Level of Large Commercial Pressurized Water Reactor . . . . . . . . . . . . . . . . . . . . . . . . . 429 Dong-Bao Lv, Ri-Gang Chen, and Xi-Yun Li Research and Application of FPGA V&V Technology in NPP Safety I&C System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Sheng-Chao Wang, Wang-Ping Ye, and Tao Bai Research of Software V&V Technology in the Non-safety DCS of NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Sheng-Chao Wang, Wang-Ping Ye, Jian-Zhong Tang, and Tao Bai

Contents

ix

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet with Light-Weight and Impact Resistance . . . . . . . . . . . . . . . . 452 Jun-An Dai, Ming-Xing Liu, Xiao Wu, Zhi Chen, Dong-Wei Wang, Fa-Qiang Li, and Chang-Wen Yao Research and Application of the Verification and Validation Method Based on Embedded Technology in Nuclear Power Plants . . . . 463 Chao Zhang, Wang-Ping Ye, Sheng-Chao Wang, and Ji Shi Research and Application of Time-PSF Calculation Method for HRA in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Qian Wu, Yi-Ming Liu, and Rui-Ping Zhang Reliability Assessment Research and Application for PCBA Solderless Press-In Connection Technique in DCS Safety Class Devices in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Zhong-Qi Liang, Jian-Gang Li, Rui-Feng Zhang, and Lian-Chun Wang Research on the Application of Human Factors Engineering in the Physical Protection System of Nuclear Facilities . . . . . . . . . . . . . 490 Bi-Yao Wang, Hua-Ping Chen, Jian Liu, Ji-Wei Zhang, Shuang Li, Qian Zhang, and Zhen-Hua Luan The Design and Implementation of an LSTM-Based Steam Generator Level Prediction Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Jing-Ke She, Jia-Ni Wang, Su-Yuan Yang, and Shi-Yu Xue Research on Defense-In-Depth Standards for Information Security in NPP I&C System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Zhi-Wu Guo, Lu Zhu, and Liang Zhou The Analysis for Method of I&C Equipment Period Demonstrating in NPP Refueling Cycle Extension Project . . . . . . . . . . . . . . . . . . . . . . . 527 Zhi-Wu Guo and Long-Qiang Zhang Spurious Actuation of I&C Systems Analysis Methodology in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Zhen Yang, Hui Jiang, Ya-Jie Tian, Jia-Lin Ping, and Huan Huang Analysis for Periodic Test Interval of Digital I&C System for NPP Based on PSA Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Sun Wei and Li-Ming Zhang Research and Application of Nuclear Instrumentation System EMI Design in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Jing Li, Li-Ming Zhang, Tian-You Li, and Jing Shang Research on the Design Improvement of Important Function Interface for Tripping and Load Rejection in Nuclear Power Plant . . . . . . . . . . . 573 Shan-Shan Gu, Bin Zeng, Heng Li, Li-Ming Zhang, and Hua-Qing Peng

x

Contents

Closed-Loop Management Optimization of Technical Change in PWR Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Min Long, Fang Li, and Li-Chuang Tian Research on the Application of STPA Method in Reliability Analysis of Safety Spray Control in NPP . . . . . . . . . . . . . . . . . . . . . . . . 589 You-Ran Li Study for Reliability Analysis of Operator Response Process Under IBLOCA Accident in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . 599 Zhi-Hui Xu, Jie-Mei Zhang, Xue-Gang Zhang, Ming Jia, De-Song Su, and Hua-Qing Peng Failure Analysis and Optimization of Turbine Speed-Up Control for Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Le-Yuan Bai, Xu-Feng Wang, Heng Li, and Bin Zeng Research on Application of Humidity Instrument in Nuclear Power Plant Ventilation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Lu Liu, Heng Li, Zhi-Yin Liu, and Zhou Xiao Current Situation Analysis and Research of Computer-Based Procedure System for Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . 623 Can Zhou, Yong-Quan Xie, and Zhi-Yao Liu Study on the Design of HSI Color System in Nuclear Power Plant . . . . 633 Xiao-Mei Xu, Xing-Can Yang, De-Song Su, and Xue-Gang Zhang Study for Human Reliability Analysis on Reactor Pit Injection for SA Mitigation in NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 Jie-Mei Zhang, Zhi-Hui Xu, Xue-Gang Zhang, Ming Jia, and De-Song Su Research and Application of Life Monitoring Scheme of Plant Computer Information and Control System . . . . . . . . . . . . . . . . . . . . . . 649 Jian-Wang Qiao, Bo Cheng, Jie Zou, Hua-Qing Peng, Li-Ming Zhang, Yi-Qian Wu, and Zhen-Hua Luan Application Research on Intelligent Fault-Diagnosis of Nuclear Power Plant Equipment Based on Support Vector Machine . . . . . . . . . 657 Kai Gu, Zhi-Hong Lv, Jian-Quan Xu, Zhang-yu, and Hua-Qing Peng Safety and Reliability Analysis Based on the FMECA of the Fire Protection System of NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Xu-Tao Bai, Dan-Dan Sun, Hua-Song Fang, and Xiao-Chen Zhang Improvement in Test Methods and Structural Design for In-core Coolant Level Detector of HPR1000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 Wei-Jie Huang, Peng Deng, Bao-Cheng Li, Zhi-Jun Li, and Liang Li

Contents

xi

Discussion of Intelligent IP Camera Application in Nuclear Power Plant Video Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 Lei Li, Fei-Yang Sun, Zheng-Tao Chen, and Ya-Jie Tian Research About Smart Power Plant for Chinese Heavy-Duty Gas Turbine Development and Application . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Guo-Gang Shu, Peng-Fei Gu, Xue-Fei Zhai, Bao Heming, and Cao Ying Intelligent Safety Monitoring System for Nuclear Power Plant Based on the Convolution Neural Network . . . . . . . . . . . . . . . . . . . . . . 696 Xu-Tao Bai, Dan-Dan Sun, Xiao-Chen Zhang, and Bao-Cheng Sun Improvement and Research on the Level Measurement of High Low Pressure Heater and Deaerator in Nuclear Power Plant . . . . . . . . . . . . 706 Hai-Ying Fan, Hua-Qing Peng, Xin-Nian Huang, Heng Li, and Xiao-Feng Li Qualification Test Research on Level Transmitter Equipment for Diesel Engine Lubricating Oil System . . . . . . . . . . . . . . . . . . . . . . . 716 Jing-Yuan Yang, Gang Jin, Qi Wu, and Li-Qin Zhang Study on the Load Following Control of SMR with Flexible Load . . . . 724 Ming-Ming Liu, Ao-Di Sun, Lei-Lei Qiu, Ru Zhang, and Xin-Yu Wei The Verification for RRC System of Nuclear Power Plant Based on Digital Twins Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 Jia-Lin Ping, Li-Ming Zhang, Can Zhou, Chun-Bing Wang, and Chao Lu Research on a Low-Latency Communication Module for the Reactor Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 Le Li, Zhi-Hui Zhang, Jian-Xin Ma, and Chao Gao Research About Software Verification and Validation of Control and Protection System for Chinese Heavy-Duty Gas Turbine . . . . . . . . 757 Peng-Fei Gu, Zhe-Ming Liu, He-Ming Bao, Tao Bai, and Xue-Fei Zhai Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765

Research on Converged Wireless Communication Network Scheme in Nuclear Power Plants Jia Meng(B) , Ai-Fen Liu, Xiao-Fei Deng, and Wei Wei Hualong Pressurized Water Reactor Technology Corporation Ltd., Beijing, China [email protected]

Abstract. In this paper, the two-way converged wireless communication network (WCN) schemes for three cases in nuclear power plants (NPPs) based on the combiner are investigated. Firstly, the applications of WCN in NPPs are listed, including conventional voice communication and other extension demands. Then the respective advantages and disadvantages of the existing mainstream wireless communication technologies in NPPs are described. Therefore, we need to retain the existing single wireless communication technology and converge other wireless communication technologies via combiners. Secondly, the paper discusses the converged WCN scheme for the cases where the coverage area is small without blind area. Thirdly, the paper describes the converged WCN scheme for the cases where the coverage area is large and feeder installation is unrestricted. Lastly, the paper discusses the converged WCN scheme for the cases where the coverage area is large, but multiple-feeder installation is restricted and signals can be only transmitted by a single feeder. The above three WCN schemes can converge the installed and other wireless communication technologies under different circumstances. Due to the complementation of different wireless communication technologies, various kinds of intelligent business requirements in NPPs can be satisfied and reform cost can also be reduced effectively. Furthermore, it is of great significance to enhance the reliability and performance of wireless communication system in NPPs. Keywords: Nuclear power plants · Converged wireless communication network · Combiner

1 Introduction As a valid alternative of wire communication network, wireless communication network (WCN) has been gradually covered in nuclear power plants (NPPs). In order to meet the needs of mobile communication under normal and accident condition of NPPs, especially when wire communication system is not available, WCN can be widely used for making calls and announcing emergency information. With the growing demand of digitization, intelligence and informatization, WCN is being tried in many extensive applications, such as personnel positioning, video surveillance, equipment monitoring, radiation monitoring, fire detection, intelligent operation and maintenance [1]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 1–7, 2021. https://doi.org/10.1007/978-981-16-3456-7_1

2

J. Meng et al.

At present, some NPPs adopt Personal Handy-phone system (PHS) technology, and some NPPs adopt Multi-carrier Wireless information Local Loop (McwiLL) technology, and some NPPs adopt TD-LTE technology, and some adopt Wi-Fi technology [2]. Each of the existing mainstream wireless communication technologies in NPPs has its own advantages and disadvantages. Wi-Fi technology has higher data transfer rate, lower transmitting power and power dissipation of the base station, but its coverage and mobility are limited. McwiLL and TD-LTE technology can cover larger distance and have better mobility, but transmitting power and power dissipation of the base station are higher. Data transfer rate of TD-LTE technology is higher than that of McwiLL technology. PHS technology has the lowest data transfer rate and has exited the market since December 2010. Many device manufactures have gradually shut down production and industry chain has been interrupted which poses a threat to operation and maintenance of wireless communication system in NPPs. Each single network scheme takes no account of redundancy and fault principle, so it usually has low reliability. Moreover, single network scheme cannot satisfy different types of business requirements. If single PHS or McwiLL technology is applied in NPPs, TD-LTE or Wi-Fi technology will be introduced to meet intelligent business requirements in NPPs which need higher data transfer rate. If single Wi-Fi technology is applied in NPPs, TD-LTE technology is also need to be introduced to meet operation and maintenance requirements in NPPs which need larger coverage and stronger penetrability. Therefore, the two-way converged scheme based on distributed base station is applied in the indoor coverage reforming scheme of wireless communication system in NPPs. That is, one way indoor distribution is shared with other wireless communication technologies (PHS, McwiLL, Wi-Fi), the other way indoor distribution is used for TD-LTE technology. Retaining the existing single wireless communication technology in NPPs, and converging other wireless communication technologies via combiners can not only satisfy different types of business requirements, but also reduce the reform cost effectively without disrupting the existing WCN. The complementation of various wireless communication technologies is of great significance to enhance the performance and reliability of WCN in NPPs. The rest of this paper is organized as follows. Three converged WCN schemes for different cases according to the coverage area and feeder installation are discussed. Case 1: The coverage area is small and there is no blind area. Case 2: The coverage area is large and feeder installation is unrestricted. Case 3: The coverage area is large and feeder installation is restricted. The converged WCN scheme for case 1 is presented in Sect. 2. The converged WCN scheme for case 2 is presented in Sect. 3. The converged WCN scheme for case 3 is proposed in Sect. 4. Finally, conclusions are drawn in Sect. 5.

2 Converged WCN Scheme for Case 1 For the cases where the coverage area is small without blind area, the converged WCN scheme based on Building Baseband Unit (BBU), Remote Radio Unit (RRU) and single-polarized antenna/dual-polarized antenna is applied in the indoor coverage reform scheme of wireless communication system in NPPs. BBU is placed in the communication room of nuclear island, and RRU is installed in the weak current equipment room on each floor. BBU and RRU together is the equal of

Research on Converged Wireless Communication Network Scheme

3

distributed base station of TD-LTE system. Optical fibers are used in the transmission between BBU and RRU. Optical fibers are used in the trunk line and coaxial cables are used in the branch. There is little attenuation when the signal is transmitted through optical fibers, thus the overall feedline loss can be reduced and has made it far less dependent on the trunk amplifier [3]. BBU and RRU are very flexible in terms of capacity configuration. Scalability is allowed by connecting multiple RRUs and allocating enough capacity to RRUs in a certain area according to the capacity requirements. The converged WCN scheme for case 1 is shown in Fig. 1. The working frequency of PHS ranges from 1900 MHz to 1920 MHz. The working frequency of McwiLL ranges from 1785 MHz to 1805 MHz. The working frequency of TD-LTE ranges from 2320 MHz to 2370 MHz. The working frequency of Wi-Fi is 2.4 GHz [4]. Several input signals at different frequency bands need to be combined into a single output by combiners which are placed in the communication room of nuclear island. Combiners should have ports of each frequency band and satisfy interference isolation demands among different systems. As Wi-Fi works at the highest frequency band, the link loss is the biggest at the same distances. And Wi-Fi base station has the lowest transmitting power and the most limited coverage range, so Wi-Fi is combined at the end of the branch [5]. The coupler is the device which can extract part of signals in the trunk line. The power splitter is the energy equivalent distribution device which can divide the power signals into equal amounts for different coverage areas. The couplers and power splitters are selected according to some indicators, such as input/output standing wave ratio, insertion loss, input impedance, coupling degree [6]. The working frequency of couplers and power splitters ranges from 1700 MHz to 2500 MHz. RRU or combiners are in turn connected to the coupler, power splitter, and the antenna through coaxial cables.

Fig. 1. The converged WCN scheme for case 1

3 Converged WCN Scheme for Case 2 For the cases where the coverage area is large and feeder installation is unrestricted, the converged WCN scheme based on BBU, RRU, dual-feeder MIMO repeater and singlepolarized antenna/dual-polarized antenna is employed in the indoor coverage reform scheme of wireless communication system in NPPs. The converged WCN scheme for case 2 is shown in Fig. 2. Two downlink signals from the sources enter the downlink input ports of the dual-feeder multiple-input multipleoutput (MIMO) repeater after passing the couplers. Stray and interference signals are

4

J. Meng et al.

filtered out by the filters and useful radio frequency signals pass the circulators and are amplified by the trunk amplifiers. To improve the quality of signal coverage, the power of wireless communication terminals can be compensated by the trunk amplifier flexibly and easily. Then the amplified signals pass through the circulators, filters, power splitters in turn and enter the coverage areas. The wireless signals are transmitted by the single-polarized or dual-polarized antenna and thus, the coverage of downlink signals is completed. The wireless signals from wireless terminals are introduced by the antennas. Interference signals are filtered out by the filters and useful signals are amplified by the low noise amplifiers. The amplified signals go out of the MIMO repeater after passing the circulators and the filters in turn. Finally, the two-way signals pass through the couplers and enter the source receivers and thus, the coverage of uplink signals is completed. The coverage performance of wireless communication system is also influenced by the selection and installation of antenna. The antenna can be divided into single-polarized antenna and dual-polarized antenna according to different polarization direction. Dualpolarized antenna can be installed in open space such as corridor in NPPs. The performance of dual-polarized antenna decreases significantly compared with single-polarized antenna in independent and closed space such as equipment room in NPPs. So singlepolarized antenna is preferred in which case engineering installation is allowed. To ensure MIMO performance, we hope to satisfy two-antenna channel with low correlation requirements by increasing the distance between antennas for the two single-polarized antennas. Try to make sure that the distance between the two single-polarized antennas is more than 1.25 m. The distance should be at least 0.5 m if actual installation space is limited [7]. The working frequency of antenna ranges from 1700 MHz to 2500 MHz. The power basic unit and the power extension unit are configured to supply power for the dual-feeder MIMO repeater. The monitoring unit is configured to monitor the power state of the dual-feeder repeater and output power of two-way signals remotely. The frequency of monitoring unit can be chosen between 300 MHz and 1000 MHz. However, considering that the working frequency of couplers and power splitters mostly ranges from 800 MHz to 2500 MHz, the frequency of monitoring unit is selected between 800 MHz and 1000 MHz.

Fig. 2. The converged WCN scheme for case 2

Research on Converged Wireless Communication Network Scheme

5

4 Converged WCN Scheme for Case 3 For the cases where the coverage area is large, but multiple-feeder installation is restricted and signals can be only transmitted by a single feeder, the converged WCN scheme based on BBU, RRU, single-feeder MIMO repeater and single-polarized antenna/dualpolarized antenna is employed in the indoor coverage reform scheme of wireless communication system in NPPs. Single-feeder active antenna wireless communication system is realized by means of frequency conversion using a single feeder. The converged WCN scheme for case 3 is shown in Fig. 3. The single-feeder MIMO repeater includes the proximal module and the remote module, both of which are connected via a single feeder. One proximal module can connect to multiple remote modules. Two downlink signals from the sources enter the downlink input ports of the single-feeder MIMO repeater after passing the couplers. Stray and interference signals are filtered out by the filters in the proximal module. The two-way useful signals pass through the circulators and then are converted into different frequencies at certain interval which do not interfere with each other by the mixers. Then the two-way signals are synthesized to one way signal by the combiner and is amplified by the amplifier. The amplified radio frequency signal passes through the circulator and is transmitted to the remote module through a single main feeder. In the remote module, the signal is firstly separated into two way signals at different frequencies by the splitter after passing the circulator. Then the separated two-way signals pass through the mixers, the amplifiers in turn and are restored back to the two-way signals at original frequencies. Finally, the two-way signals pass through the circulators, the filters, the power splitters in turn and are transmitted by the single-polarized or dual-polarized antenna. The wireless signals from wireless terminals are introduced by the antennas and are received by the remote module. Stray and interference signals are filtered out by the filters. The two-way useful signals enter the circulators and are synthesized to one way signal by the combiner. The one-way signal is amplified by the amplifier and passes through the circulator and then is transmitted to the proximal module. In the proximal module, the signal firstly passes through the circulator and then is divided into two way signals by the power splitter. The two-way signals go out of the proximal module after passing the circulators and the filters. Finally, the two-way signals are transmitted back to the sources by the couplers and thus, the transmission of uplink signals is completed. In this scheme, the output signal power of frequency conversion link can be adjusted flexibly so that the power deviation of two-way signals is guaranteed to be within 3dB. This can effectively cut the losses of throughput and system capacity because of the twoway signal power imbalance so that the data transfer rate is the nearest to the maximum uplink and downlink data transfer rate in theory. The proximal module uses independent power supply which includes direct current (DC) power supply and alternating current (AC) power supply. DC power supply can convert 48 V DC into 5 V, 12 V using DC-DC unit in the backplane. AC power supply can convert 220 V AC into 48 V DC using ACDC unit [8]. The remote module adopts remote power supply via the feeder. 48 V DC signal and radio frequency signals are fed into the same feeder in the proximal module and then is transmitted to the remote module. In the remote module, the power signal is separated from the radio frequency signals by the distributor. Hence, components which allow the DC signal to pass through also need to be selected for the power splitter and

6

J. Meng et al.

the coupler. This way of remote feeder power supply needs small engineering reform amount without having to increase new feeder. The proximal module has built-in power basic unit which refers to DC-DC unit and AC-DC unit. The power extension unit which allows the proximal module to connect more remote modules is also configured in the proximal module. Both the proximal module and the remote module have built-in monitoring units which use frequency-shift keying (FSK) modem chip. The monitoring unit can monitor the power state of the modules and output power of two-way signals remotely, and can also control the signal gain.

Fig. 3. The converged WCN scheme for case 3

5 Conclusion This paper presents three converged WCN schemes in NPPs based on the combiner for different cases according to the coverage area and feeder installation. The indoor coverage reforming scheme of wireless communication system in NPPs employs the two-way converged scheme of which one way indoor distribution is shared by PHS, McwiLL and Wi-Fi technology, the other way indoor distribution is used for TD-LTE technology alone. Through the combination of these four wireless communication technologies, various kinds of business requirements in intelligent NPPs are satisfied. It can reduce the reform cost effectively without removing the existing wireless communication technology. It is of benefit to compensate the weakness and take advantage of the strengths of a single wireless communication technology. With the application of the converged WCN scheme, NPPs will develop towards the direction of digitization, informatization and intellectualization.

Research on Converged Wireless Communication Network Scheme

7

References 1. Liming, W., Yuzhou, K.: Application and prospect of nuclear power wireless telephone system. China New Telecommun. 16(20), 76–80 (2014) 2. Peng, X., Bujing, G.: Specially improved McWiLL technology in the application of Hongyanhe nuclear power plant. Inf. Secur. Technol. 4(12), 77–79 (2013) 3. Tao, Z., Yunan, H., Fuchang, L.: Research on the evolution solution of indoor distribution system for LTE system. Des. Tech. Posts Telecommun. 3, 22–26 (2013) 4. Huiqi, L., Guiyu, C.: Analysis of interference between TD-LTE and other systems indoor distribution network. Telecommun. Netw. Technol. 11, 61–64 (2015) 5. Chenhui, D., Yanhui, H., Jiang, J.: Improvement and application of wireless coverage scheme for nuclear power station island. Elect. Test 13(5), 85–86 (2018) 6. Hong, H., Qingli, G.: Construction of TD-LTE indoor distribution system. Mobile Commun. 37(8), 29–33 (2013) 7. Zhaobiao, L., Xinzhong, L., Jun, Y.: Research on solution for LTE MIMO in indoor scenario. In: Proceedings on 2011 National Conference on Wireless Mobile Communication, pp. 44–48. Beijng (2011) 8. Xi, G.: Design and realization of active antenna which used in the transformation of the TD-LTE indoor distributed system. FiberHome Technologies (2014)

Research About Computer Based System Reliability Demonstration Methods in Nuclear Power Plant Dan Xu1 , Zhao-Lei Hao1 , Hua Huang1 , and Xiao-Ming Qian2(B) 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected] 2 Nuclear and Radiation Safety Center, MEE, Beijing 100082, China

Abstract. This paper has introduced the life cycle of I&C system and related quality control measures to guarantee the reliability during development and validation phases, analyzed software and hardware reliability prediction models, discussed the reliability demonstration method applicable for critical safety system and put forward a reliability demonstration analysis for safety critical system in nuclear power plant. Keywords: I&C system · Life cycle · Reliability demonstration

1 Background In industries, like medical and aviation industries, safety critical system concept is applied which means whose failure can cause serious injury or death to people, large financial loss or environmental harm. Due to the importance of safety critical system, it’s necessary to control the development process so as to guarantee its reliability [1]. Basic safety publication IEC 61508 is applicable to different industries; it puts forward the safety life cycle and gives out failure consequence severity definition by probabilistic numbers [2]. In nuclear industry, IEC 61508 has been interpreted to specific standard IEC 61513 for general I&C system development and Reactor Protection System (RPS) is one of the safety critical systems [2, 3]. Conventional and computer based I&C technologies are two main choices for control systems of nuclear power plant; the former is usually used as backup for latter. System realized with software is the most common type for computer based ones. For example, RPS is a combination of hardware and software whose reliability is quite high and may be claimed as Probability of Failure on Demand (PFD) to a degree of 10–4 /year reactor. This article discusses ways to certify computer based I&C systems in nuclear power plant to meet their PFD claims.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 8–13, 2021. https://doi.org/10.1007/978-981-16-3456-7_2

Research About Computer Based System Reliability Demonstration Methods

9

2 Life Cycle of I&C System in Nuclear Power Plant Life cycle of I&C systems can be divided into development phase, operation phase and maintenance phase. Verification and validation activities are carried out in the whole development phase and also executed when modifications happen in operation and maintenance phases. The system reliability target or requirement is set up at the very beginning of the development phase and guaranteed by adequate quality control measures. Quality control measures include a series of process control plans and activities played by following these plans. Quality Assurance Plan defines all first level activities related with system development. I&C system reliability requirement asked for by nuclear plant safety operation is analyzed in the system requirement specification step. Verification and Validation Plan defines checking, testing and qualification activities to help confirm that all requirements are met and the system are correctly designed. are two steps following whole life cycle. Configuration Management Plan defines the status identification of product, documentation and modification control process. For problems found during verification and validation activities, this plan tells how to deal with them and archive them into record. Qualification Program defines system or product type tests combined with environmental conditions. Qualification includes theory analysis, type test and experience feedback. Type testing usually combines theory analysis and experience feedback to define a proper test plan. Due to time limitation, extreme environment factors are involved in, but a bit of doubts are still there about normal time aging and long duration impacts. Other international standards, like RCC-E and IEC 60780, are used as complementary of IEC 61513 [3–5]. Above methods give audience confidence that systems have experienced qualified lifecycle and can perform well under normal or accident environment; they show the behavior results of reliable systems.

Fig. 1. I&C system life cycle

10

D. Xu et al.

3 Hardware and Software Reliability Guarantee Methods Basic reliability measurements for I&C system include Mean-Time-Between-Failure (MTBF) and failure rate [6]. In nuclear power plant, the reliability is claimed in the form of PFD which can be understood as failure number of per year and per plant reactor on function demand. Reliability target for I&C system is realized in both aspects of hardware and software. During the development phase, different tests or analysis, such as functional test or debugging test, are used to find defects and implement correction to improve the reliability so as to reach the target. The reliability estimating model applied in development phase is called reliability growth model. 3.1 Hardware Reliability Guarantee In nuclear power plant, hardware reliability is guaranteed by its development lifecycle which is similar to Fig. 1. Design verification and validation process supplements qualification tests, failure mode and effects analysis (FMEA) provide adequate cases to check the design requirements and product performance has been reached as expected. The errors found during the tests or analysis are corrected and also treated as experience data to improve the product quality. Experience model and Physics of Failure (PoF) model are two main models for electronic hardware reliability prediction [7, 8]. Experience model is based on experience data and different guidebooks like MIL-HDBK-217F [17]. Components operation data and presumption of equipment working environment are inputs for Experience model. PoF model requires comprehensive knowledge of equipment failure mechanism and builds appropriate failure models. 3.2 Software Reliability Guarantee Software in nuclear power plant I&C system includes operational software and application software. IEC 60880 for software performing category a functions and IEC 62138 for software performing category B and C functions are used as complementary standards of IEC 61513 to guide the software development [3, 9, 10]. Static and dynamic testing are along with the verification and validation process. Software reliability is mostly judged by MTBF and traditional calculation methods including Goel-Okumoto NHPP model, J-M model and S-W model which are based on different software failure distributing suppositions. Recent years, some modern models are put forward to precise the indication of failure, such as model uses unascertained theory as basement [11, 12].

4 Computer Based System Reliability Demonstration Test 4.1 Testing Methods Discussion Reliability is changing along with the findings and corrections during the I&C system development process as discussed in above chapters, precondition for reliability demonstration test implemented in validation phase is that reliability is unchangeable [11].

Research About Computer Based System Reliability Demonstration Methods

11

Due to the fact that most data participating in reliability estimation or calculation are acquired from experience or designed sampling, the value of probability can only be demonstrated by large quantity of repeated tests (statistical testing). Articles have introduced different models for software reliability demonstration testing [11, 13]. Nelson model, Shooman model and Input domain based model are used in software validation phase of article [11]. Eight methods of fixed duration testing and non-fixed duration testing are introduced and compared in article [13]. Article has given examples of choosing testing methods according to the expectation and acceptance criteria, comparison is shown in Table 1 [14]. As software is impossible to work without hardware, the testing methods carried on software can be implemented on I&C system in a certain degree [15]. For critical safety system, non-fixed duration testing method isn’t applicable, such as PRST (Probability ratio sequential test) method [13, 16]. Table 1. Test methods comparison Item

Probability ratio sequential test

Fixed duration test

Zero failure test

Acceptance criteria

Consumer risk β, producer risk α, specified failure rate, minimum acceptable failure rate, infinite testing number

Consumer risk β, producer risk α, specified failure rate, minimum acceptable failure rate, finite testing number

Zero failure

Applicable scope

Software requiring very high or low quality

Validation project with limited resource or test time

Validation project requiring high reliability

Advantages

Testing result can be given by latest test

Maximum test cases or test duration is predefined

Maximum test cases or test duration is predefined

Disadvantages

Maximum test cases or test duration is unknown

Testing result can Testing result can only only be given until all be given until all test test cases are finished cases are finished

4.2 Statistical Testing in Nuclear Power Plant Reliability of critical safety system in nuclear power plant can reach 10–4 , functions on demand by plant operation have a wide scope due to complicated scenarios. Thus test cases can be a large quantity if high confidence level is needed by public or safety inspectors. To simplify preparation testing cases, each test case can be executed independently. The distribution of I&C random failures can be treated as Poisson distribution: P(X = k) =

λk e−λ k!

(1)

12

D. Xu et al.

where P is probability of k failures, k is the failure number and λ is average number of failures. Or use Binomial distribution:   n k (2) Pr(X = k) = p (1 − p)n−k k where p is product failure probability and Pr is probability of k failures. Pr and p can be understood as risk that plant will take when this product is under operation. Meanwhile, as the testing conditions complies with the assumption of TRW model, testing number can be calculated by already known reliability number and confidence level [16]. 4.3 Test Cases Test cases need to be chosen from plant scenarios which demand activation of target I&C system, these scenarios should have been considered during system PFD calculation. Suppose target I&C system relates to “m” series of demand classes, and “pi ” is failure probability of each demand class: N=

m 

ni

(3)

i=1

P=

m 

n −nj

(1 − pi )nj pi i

(4)

i=1

Where “ni ” is test number for demand class i, “nj ” is number of passed tests. 4.4 Test Method Deviation Most electronic components failure mode follows the Bathtub curve, it needs to avoid the influence of early failures. Cycle duration for early failures had better be known to make right judgment of product reliability or give feedback to quality control team. As discussed above, fixed duration test and zero failure test are appropriate for situation of nuclear power plant (limited resources and tight construction duration). But due to high reliability requirement which can reach the order of 10–4 , test cases will be in large quantity and the testing lasting in long time is unavoidable. Good practice is trying to debug errors as much as possible during development phase so as to reduce the work load in validation phase. Moreover, more advanced models can be considered to build the reliability demonstration testing, such as Single Risk Sequential Testing (SRST) method nevertheless much more criteria should be acknowledged by both consumer and producer [16].

Research About Computer Based System Reliability Demonstration Methods

13

5 Conclusion Proper quality control process following standard IEC61513 helps guarantee the reliability of computer based I&C system [3]. Hardware and software reliability growth models predict and help to reach reliability target for the I&C system during development phase of the life cycle. Statistical testing is a way to demonstrate reliability for critical safety system during validation phase and different models used on software can be introduced into I&C system validation judgment. Proper model should be carefully chosen to facilitate the implementation of the testing.

References 1. Knight, J.C.: Safety critical systems: challenges and directions. In: Proceedings of the 24th International Conference on Software Engineering, pp. 547–550. ICSE Orlando, FL, USA (2002) 2. International Electrotechnical Commission: IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems (2010) 3. International Electrotechnical Commission: IEC 61513: Nuclear power plants - Instrumentation and control important to safety - General requirements for systems (2011) 4. AFCEN: RCC-E: Design and construction rules for electrical equipment of PWR nuclear islands (2012) 5. International Electrotechnical Commission: IEC 60780: Nuclear power plants - Electrical equipment of the safety system - Qualification (2016) 6. US Department of Defense: MIL-HDBK-781A: Handbook for Reliability Test Methods, Plans and Environments for Engineering, Development Qualification, and Production (1996) 7. Luo, M.Z.: Method for reliability parameter calculation of electronic product based on physics of failure models. Syst. Eng. Electron. 36(4), 795–801 (2014) 8. Foucher, B.: A review of reliability prediction methods for electronic devices. Microelectron. Reliab. 42, 1155–1162 (2002) 9. International Electrotechnical Commission: IEC 60880: Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category a functions (2006) 10. International Electrotechnical Commission: IEC 62138: Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category B or C functions (2018) 11. Ramamoorthy, C.V., Bastani, F.B.: Software Reliability—Status and Perspectives. IEEE Trans. Softw. Eng. SE-8(4), 354–371 (1982) 12. Bao, G.M., Zheng, C.W., Han, K.: Research of software MTBF computing methods. Comput. Eng. Appl. 44(35), 37–39 (2008) 13. Tal, O., Bendell, A., McCollin, C.: A comparison of methods for calculating the duration of software reliability demonstration testing, particularly for safety-critical systems. Qual. Reliab. Eng. Int. 16, 59–62 (2000) 14. Jiang, M.C., Li, Q.Y.: Research on discrete-type software reliability demonstration testing. Appl. Res. Comput. 27(4), 1363–1365 (2010) 15. Li, Q.Y., Jiang, M.C.: Analysis of necessary condition for minimal software reliability demonstration test suite. J. Beijing Univ. Aeronaut. Astronaut. 36(2), 239–247 (2010) 16. Tal, O., McCollin, C., Bendell, A.: Reliability demonstration for safety-critical systems. IEEE Trans. Reliab. 50(2), 194–203 (2001) 17. US Department of Defense: MIL-HDBK-217F: Handbook for Reliability Prediction of Electronic Equipment (1991)

Multi-ray Intelligent Monitoring System for Mixed Radiation Field Measurements Jin-Xing Cheng1(B) , You-Peng Wu1 , Qing-Bo Wang1 , Wei-Wei Wen1 , Ai Yu1 , Rui Qiu2 , Yue Zhang1 , and Wen-Kai Zhu1 1 Beijing Institute of High Technology, Beijing, China 2 Tsinghua University, Beijing, China

Abstract. In certain special scenarios, there will be a mixed radiation field formed by a variety of nuclides or rays. The monitoring system for such radiation fields requires the capacity of comprehensive and automatic analysis. In this paper, a specific mixed radiation field is given, which contains gamma ray, neutron ray, α aerosol and tritium in a high radon concentration environment. An intelligent monitoring system is developed to measure and evaluate the complex radiation field rapidly and accurately. The radiation performance of the system is verified by experiments, which achieves the expected index requirements. Keywords: Mixed radiation field · Multi-ray · Intelligent monitoring

1 Introduction In certain scenes, kinds of nuclides and rays coexist frequently to form mixed radiation fields. The special radiation field is usually a mixture of gamma, neutron, α aerosol and 3 H in a high radon concentration environment, which possesses great challenges for rapid discrimination of characteristic nuclides, accurate analysis of radiation level and scientific assessment of radiation safety [1–3]. The mixed radiation field presented in this paper mainly contains typical nuclides such as uranium, plutonium, and tritium and so on, under the background of high concentration of radon, and can release neutron, γ, α and β ray etc. The measurement characteristic of such radiation fields is mainly as follows. a) The characteristic quantity is complex. When characterizing this kind of radiation field, it is necessary to characterize it not only by nuclides but also by ray types. In the measurement, it is to measure the dose rate and counting rate, also to carry out energy spectrum resolution. b) Many interfering factors exist. Radon has a very high concentration as background nuclide, which is easy to interfere with the measurement of other nuclides release α rays. In the process of tritium measurement, β rays produced by the decay of other typical nuclides will also interfere with tritium measurement. c) There are many kinds of radiations, which cause serious detector crosstalk. Different kinds of nuclides or rays can be detected by multiple detectors, and the detector itself is not only sensitive to one type of raidaiton. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 14–23, 2021. https://doi.org/10.1007/978-981-16-3456-7_3

Multi-ray Intelligent Monitoring System

15

According to the requirement of measuring γ, neutron, α and tritium simultaneously with high concentration radon, a mobile multi-ray intelligent monitoring system is developed for the safety of nuclear activities, which integrates rapid measurement, accurate screening and intelligent evaluation. The performance of this monitoring system has been verified by experiments and achieved the expected index requirements on the performance.

2 Measurement System Design The mobile multi-ray monitoring system is composed of the γ-ray measurement unit, neutron-ray measurement unit, α aerosol measurement unit and tritium measurement unit. The technical routes are described as follows. 2.1 γ-ray Measurement Unit In order to realize the functions of nuclide identification and dose rate measurement, LaBr3 scintillator is utilized to detect the γ energy spectrum, which possesses high detection efficiency and better energy resolution, and could identify nuclide quickly and conveniently. This module adopts a 1.5" × 1.5" LaBr3 cylinder detector. A G-M counter detector is added to expand the dose rate range, with an energy range of 50 keV–3 meV and a dose rate measurement range of 0.01 μSv/h–100 mSv/h. The principle of the γ-ray detection unit is shown in Fig. 1.

Fig. 1. Schematic diagram of γ-ray detection unit

16

J.-X. Cheng et al.

2.2 Neutron Measuring Unit The neutron measurement unit shall show the level of neutron dose equivalent rate in the operating environment. This module adopts 3 He proportional counter tube detector. The charged particle is generated after the nuclear reaction between 3 He and the neutron, and the signal is output after ionization, excitation or photoelectric conversion. The output charge pulse signal is amplified, identified and shaped, and then the data processing is carried out. The functional block diagram of the neutron detection unit is shown in Fig. 2. The neutron energy response is 0.025 eV–10 meV, and the neutron dose rate range is 0.01 ugy/h–100 mSv/h.

Fig. 2. Functional block diagram of neutron detection unit

2.3 α Aerosol Measurement Unit The PIPS detector of ϕ20 mm is adopted in the α aerosol measurement unit, which has better energy resolution. The detector is 1 mm–2 mm away from the filter paper, and the α particle energy spectrum could be measured after sampling, and the interference count of radon progeny is deducted by energy spectrum processing method, and the net count of artificial nuclide is obtained, and then the concentration is obtained. In order to reduce the workload of changing filter paper, the method of automatic filter paper removal is adopted [4]. The automatic paper removal mechanism is shown in Fig. 3. The typical measurement time is 60 min, and the range of activity concentration that can be measured is 0.8 Bq/m3 –500 Bq/m3 . 2.4 Tritium Monitoring Unit The tritium measurement module adopts the fluidized ionization chamber, which adopts the multi-ionization chamber design. A set of ionization Chambers is used to measure tritium β, γ and radon α count. The high-energy peak signal generated by radon α is

Multi-ray Intelligent Monitoring System

17

Screen Driving Wheel

Driven Wheel Fixing Pin

Fig. 3. Automatic paper feed mechanism

separated from the low-energy gradient signal generated by tritium β throughout pulse amplitude discrimination technology in the analog filter circuit, and the radon α signal was deducted. The other set of ionization Chambers is hermetic and used to compensate for the γ signal in the environment. Finally, only the measured β count is obtained though signal processing, and then the tritium activity concentration is calculated [5, 6]. The typical measurement time is 30 min, and the measurement range of tritium activity concentration is 104 Bq/m3 –1010 Bq/m3 . The principle of the tritium measurement unit is shown in Fig. 4.

Fig. 4. Structural principle of tritium measurement system in high radon environment

2.5 Radon Concentration Monitoring Unit This monitoring unit adopts the normal temperature and atmospheric pressure air pulse ionization chamber to realize the detection of radon and its daughters, and to measure the

18

J.-X. Cheng et al.

radon concentration in the air rapidly. Because of its high detection efficiency and realtime response to α ray of 222 Rn, 218 Po, 214 Po decay parameters, the air pulse ionization chamber has high detection sensitivity and fast response to the change of environmental radon concentration, so as to realize the rapid measurement or continuous accumulation measurement of environmental radon concentration [7]. 2.6 The Integrated Monitoring System This monitoring system integrates a variety of detectors and auxiliary systems as shown in Fig. 5. It is suitable for measuring environments with high concentration of radon and can simultaneously measure a variety of rays or nuclides, such as γ energy spectrum, γ dose rate, neutron dose rate, α aerosol activity concentration, 3 H activity concentration, etc. It greatly saves the time and manpower to measure this mixed radiation field, and could provide all kinds of measurement information of the mixed radiation field quickly and intuitively.

Fig. 5. Schematic diagram of monitoring system appearance

3 Experiments and Discussion In order to verify the performance of the whole machine, each measurement system is tested and the ideal results are obtained. 3.1 γ-ray Measurement Unit Test The γ-ray measurement unit is tested in the standard irradiation room, with the reference standard JJG 521-2006 verification regulation of X, γ radiation air absorption dose rate instrument for environmental monitoring [8]. A total of 8 standard values are selected for testing, each standard value tests 5 sets of data, and the results are shown in Table 1. According to the test, the maximum error is within 6%, and the system can accurately measure the dose rate of γ in the environment.

Multi-ray Intelligent Monitoring System

19

Table 1. Test results of γ-ray measurement unit Unit of dose

Standard value

Measured value

μSv/h

12.03

12.17

12.28

12.24

11.91

36.06

37.4

37.67

37.91

37.8

60.61

64.19

63.62

63.46

63.38

mSv/h

Average value

Error

12.07

12.134

0.86%

37.61

37.678

4.49%

62.21

63.372

4.56%

570

587.3

592.1

581.3

594.7

578.9

586.86

2.96%

229.66

275.5

202.4

230.5

224.9

281.2

242.9

5.77%

11.51

11.77

12.12

12

11.23

11.27

11.678

1.46%

34.51

35.09

34.48

34.92

34.91

35.28

34.936

1.23%

92.1

91.93

90.65

91.04

91.7

92.01

91.466

−0.69%

3.2 Neutron Measurement Unit Test The standard 241 Am-Be neutron source is used to test the neutron measurement unit, and the reference standard is JJG852-2006 verification regulation of neutron ambient dose equivalent (rate) instrument [9]. A total of 3 standard values are selected for testing, each standard value tests 6 sets of data, and the results are shown in Table 2. According to the test data, the equipment reading is close to the true value, the neutron measurement system could accurately measure the environmental neutron dose equivalent rate. 3.3 α Aerosol Measurement Unit Test For the measurement unit of α aerosol, including background measurement, activity response measurement and α efficiency measurement, the test method is as follows. a) Background measurement. Turn on the tested instrument and preheat it for 30 min, place the instrument as far away from the radioactive source as possible for measurement, randomly read 10 groups of counting rate, and take the average value as the background counting rate. b) Activity response measurement. The artificial α radioactive standard source is placed at the sampling position of the detector for measurement. Then we can randomly read 10 groups of counting rate, take the average value, and deduct the background counting rate as the net counting rate. Activity response (S−1 /Bq) is the ratio of net count rate to activity standard value (Bq). c) α efficiency measurement. The detector detection efficiency is the ratio of the counting rate measured by the detector to the emissivity of the measured source. The standard source specifications used for calibration test are shown in Table 3. The activity response and detection efficiency of α detector are shown in Table 4. The test results show that the PIPS detector has high sensitivity, high detection efficiency and could reach a good detection limit.

20

J.-X. Cheng et al. Table 2. Test result data of neutron measurement system average value μSv/h

Metrological performance

Net Value Xd(l) uSv/h

Distance /cm Convention truth value Ht Meter reading μSv/h Background μSv/h

314uSv/h 388

385

380

389

390

383

386

83

79

80

76

81

75

79

307

Instrument Repeatability V

-2.3%

1.02

-1.2%

1.01

-1.1%

1.01

130

186uSv/h 263

261

262

259

264

261

262

79

79

74

80

81

77

78

184

Distance /cm Convention truth value Ht Meter reading μSv/h Background μSv/h

Calibrati on factor N

100

Distance /cm Convention truth value Ht Meter reading μSv/h Background μSv/h

Relative inheren t error I

160

123uSv/h 188

190

194

188

193

189

190

68

70

69

73

68

64

69

188

190

194

188

193

189

184

187

184

190

189

185

186

184

182

179

184

179

192

181

122

V=2.3% Uncertainty analysis

Neutron source intensity

1%

Distance measurement

Correction factors of anisotropy

0.5%

Count statistics of readings

0.5% 0.4% 0.3% 0.6%

Spectral average dose equivalent conversion coefficient 4%

(Take the maximum value to synthesize) (100cm) (130cm) (160cm)

Background subtraction of scattered neutrons 1.1%

Relative expanded uncertainty U(k=2)

Composite standard uncertainty uc

8.7%

4.4%

3.4 Tritium Monitoring Unit Test The test of tritium monitoring system refers to GB/T 30150-2013 “Radiation protection instrument airborne tritium monitoring equipment” [10]. A standard tritium gas cylinder with activity (3–6)mCi/m3 , reference monitor and test circuit (including pipeline, valve, pump, pressure gauge, etc.) are needed for measurement. The test circuit is shown in Fig. 6. The test data is shown in Table 5.

Multi-ray Intelligent Monitoring System

21

Table 3. Standard source specifications used for calibration tests Name

Specifications

Nuclide Surface emissivity (min • 2πsr)−1

Plutonium 87 mm * 50 mm * 2.0 mm 239 Pu standard plane source

8.06 × 102

Standard Expanded source uncertainty activity Urel (K = 2) (Bq) 1.581 × 103

3.5%

Table 4. Activity response and detection efficiency of α detector Type

Standard source activity (Bq)

Standard source surface emissivity (s • πsr)−1

Net count (s−1 )

Activity response (s−1 /Bq)

Detection efficiency (ξ)

239 Pu α

1.58 × 103

8.06 × 102

472.8

2.99 × 10–1

58.65%

Fig. 6. Schematic diagram of test circuit

The results show that the detector has good linearity and the maximum measurement error is within 7%. It can accurately measure the tritium activity concentration in the environment.

22

J.-X. Cheng et al. Table 5. Test data of 3 H monitoring system

Reference monitor (average 10 readings)

Tested equipment (average 10 readings)

Error

45.3 kBq/m3

43.2 kBq/m3

−4.6%

510 kBq/m3

539.5 kBq/m3

5.8%

1126.2 kBq/m3

6.5%

1057.6 kBq/m3

3.5 Radon Concentration Monitoring Unit Test The radon concentration monitoring system test refers to JJG 825-2013 “radon meter” [11]. The test results are shown in Table 6. Table 6. Test data of radon concentration monitoring system Instrument background

Standard value

Instrument indication

Average 143 readings 1.00 Bq/m3

Error

1522

1636

7.49%

2311

2327

0.69%

2542

2604

2.44%

2629

2541

−3.35%

2629

2485

−5.48%

2620

2532

−3.36%

2608

2496

−4.29%

2585

2455

−5.03%

2522

2417

−4.16%

2460

2393

−2.72%

2500

2416

−3.36%

2493

2340

−6.14%

2433

2402

−1.27%

2380

2276

−4.37%

2379

2316

−2.65%

2380

2248

−5.55%

The test results show that the detector shows good linearity, and the measurement error is very small, which can accurately measure the radon activity concentration in the environment.

Multi-ray Intelligent Monitoring System

23

4 Conclusion The prototype for measuring γ, neutron, α aerosol and 3 H simultaneously in high radon environment has been developed, which can truly achieve multi-purpose and simultaneous monitoring of one machine and economize measurement time, manpower and material resources. Each measurement system is tested separately, and the response test data are obtained. The experiment results show that the measurement error of each measurement system is within the acceptance range, and the equipment has the ability to accurately measure each ray separately. It should be indicated that the test is carried out in a single radiation field environment, without testing in the complex radiation field environment with high radon concentration, and lack of research on the interference of each ray to other measurement systems in a complex radiation field, which requires subsequent testing in the complex radiation field and obtaining the correction coefficient of response.

References 1. Ji, C.S.: Nuclear Radiation Detector and Its Experimental Technical Manual. Atomic Energy Press, Beijing (2010) 2. Chang, Y.Z., Wang, X.H., Wang, J., et al.: Analysis of radionuclides in aerosol samples (I) Analysis method of radioactive energy spectrum in aerosol samples. Nucl. Technol. 27(6), 430–434 (2004) 3. Hu, Y.X., Wang, X.Q., Zhu, W.K., et al.: An equipment for rapid detecting human nuclide aerosol concentration in high radon. Nucl. Electron. Detect. Technol. 27(02), 271–275 (2007) 4. Wang, Y.Y., Wei, Y.K., Chen, X.L., et al.: Design of radioactive aerosol measurement system for nuclear power plant based on pips semiconductor detector. Ship Sci. Technol. 8, 137–139 (2011) 5. Yang, H.Y., Wu, B., Wen, X.L., et al.: Development of a radon discriminating tritium monitor in the air. Nucl. Electron. Detect. Technol. 24(6), 555–558 (2004) 6. Zhao, K., Guo, H.P., Lv, N., et al.: Design of tritium monitoring ionization chamber in high radon environment. Nucl. Electron. Detect. Technol. 36(03), 269–273 (2016) 7. Huang, F., Liao, Z.L., Huang, L.Z., et al.: Development of automatic calibration device for trace radon measurement instrument. Chinese J. Analyt. Chem. 39(10), 1506–1512 (2011) 8. JJG 521-2006: Verification regulation of X, γ radiation air absorption dose rate instrument for environmental monitoring 9. JJG 852-2006: Verification regulation of neutron peripheral dose equivalent (rate) instrument 10. GBT 30150-2013: Radiation protection instrument airborne tritium monitoring equipment 11. JJG 825-2013: Radon meter

Basic Model Design of Online Monitoring System for Mixed Radiation Field Jin-Xing Cheng(B) , Wen-Kai Zhu, Qing-Bo Wang, Wei-Wei Wen, You-Peng Wu, and Ai Yu Beijing Institute of High Technology, Beijing, China

Abstract. With the wide application of nuclear technology, the radiation field shows more and more characteristics of hybrid, complexity and versatility. In order to ensure the safety and data transparency of radiation field, online radiation monitoring system is usually established for all important radiation fields. Its purpose is to monitor the parameters of radiation field in real-time and accurately, and evaluate the status of radiation safety scientifically and reliably. Therefore, a basic model of online monitoring system for mixed radiation field is established, which can be carried out proper expansion in accordance with the different scales and styles of radiation field. Keywords: Mixed radiation field · Online monitoring system · Basic model · Evaluation

1 Preface With the extensive and in-depth application of nuclear technology in national defense and civil fields, the radiation field shows more and more characteristics of hybrid, complexity and versatility. In order to ensure the safety and data transparency of radiation field, online radiation monitoring system is generally established for all important radiation fields. Its purpose is to monitor the parameters of radiation field in real-time and accurately, and evaluate the status of radiation safety scientifically and reliably. Therefore, a basic model of online monitoring system for mixed radiation field is established. The functional requirements, hardware composition, information exchange and data evaluation of the basic model are described in this paper.

2 Establishment of the Basic Model of On-Line Radiation Monitoring System 2.1 Functional Requirements The system can monitor α, β, γ, neutron, 3 H, 222 Rn in real-time, continuously and accurately, and evaluate the monitoring data scientifically and reliably. Therefore, the system shall have the following functions: accurate measurement capability, comprehensive monitoring capability, real-time measurement capability, safety assessment capability and excessive alarm capability, etc. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 24–29, 2021. https://doi.org/10.1007/978-981-16-3456-7_4

Basic Model Design of Online Monitoring System for Mixed Radiation Field

25

2.2 Index System It is to provide infrastructure for different nuclear facilities and materials by establishing the index system of the monitoring system. These measurement functions and index relationship are shown in Fig. 1.

Fig. 1. Index of the measured quantity and alarm threshold

According to the specific conditions of nuclear facilities and nuclear materials, the measurement range, measurement lower limit, response time of relevant measurement equipment are given. The alarm threshold of each measured quantity is obtained through theoretical calculation or actual measurement. 2.3 Establishment Principles In order to adapt to the online monitoring functions of different nuclear facilities and materials, and improve the adaptability of the basic model monitoring system. The following principles should be taken into consideration while establishing the basic model: • • • • •

The system expansion is simple Wire and wireless networking Supporting upward and downward data compatibility Supporting calibration-free in a long time Equipped with automatic data upload

26

J.-X. Cheng et al.

2.4 Instrument Selection and Development Principle Due to the special purpose of the system, stability, safety, reliability and other factors of the system shall be considered comprehensively. Therefore, the following principles shall be considered comprehensively in the selection or development of the instruments of the system: • • • •

Try to use the domestic instruments Try to use mature and reliable instruments Key components shall be replaced by domestic ones as much as possible All instruments shall be tested for “six properties”

3 Key Technologies and Solutions On-line monitoring system involves various detection instruments and collects multiple information, so there must be many problems about information fusion and integration. Therefore, we should focus on solving the following problems: 3.1 Various Types of Data Acquisition and Processing Technology Under the framework of basic model, different nuclear facilities will be expanded, which will inevitably evolve into a huge system engineering, including multiple subsystems. In addition, there are different types of monitor terminals, and the sampling methods include online real-time fixed-point, patrol inspection, sampling detection and other means. At the same time, it is also compatible with the emergency decision-making system of nuclear accident, the radiation health protection system and the safety alert system of nuclear facility, and requires a large amount and variety of information. Therefore, the three-layer network management structure of field monitoring, regional management and central management is adopted. TCP/IP communication protocol is used for central management, and RS-485 communication protocol is used for regional and field management, which is compatible with RS-232 communication protocol. In other words, output signals of all monitor terminals are converted into digital signals conforming to RS-485 communication protocol, and then transmitted by LAN. See Fig. 2. 3.2 Multi-system Integrated Technology The safety of nuclear facilities is of paramount importance. Therefore, the operation unit and Management Department of nuclear facilities will take various measures at all costs to ensure nuclear safety or mitigate the consequences of nuclear accidents. It must be considered the integration issues of nuclear security system, water and wind power system, environmental monitoring system and online radiation monitoring system. Therefore, it is necessary to carry out multi-level and multi spatial information complementation and optimized combination processing for various sensors. The ultimate goal of information fusion in this process is to derive more useful information

Basic Model Design of Online Monitoring System for Mixed Radiation Field

27

Fig. 2. Three level data transmission

through multi-level and multi-faceted combination of information based on the separated monitoring information obtained by each sensor, which not only makes use of the advantages of multi-sensor collaborative operation, but also integrates data from other information sources that are processed to improve the intelligence of the system. As a result, we should focus on the research of the following issues: Firstly, the redundancy of information. For a feature of nuclear facilities, useful information can be obtained through multiple sensors, which are redundant and have different reliability. Therefore, more accurate and reliable information can be extracted through fusion processing. In addition, the redundancy of information can improve the overall stability of the system and avoid the paralysis of the whole system caused by the failure of a single sensor. Secondly, the complementarity of information. Different kinds of sensors can provide different information for the system, because the objects described in this information are different features, so they are complementary to each other. Thirdly, the timeliness of information processing. The processing of each sensor is relatively independent, and the whole processing can be processed in parallel, which makes the system have faster processing speed and provide more timely processing results. In addition, the architecture of information fusion should be considered. Three structures are mainly considered by information fusion: centration, distribution and hybrid. Among them, the advantages of centration are real-time fusion, high accuracy and flexible algorithm of data processing. The disadvantages are high requirements for processor, low reliability, and large amount of data, that is difficult to achieve. The advantages of distributed system are low requirements for bandwidth, fast computing speed, better

28

J.-X. Cheng et al.

reliability and continuity, but the tracking accuracy is not as high as centralized system. Generally, the hybrid is adopted, which integrates the advantages of centration and distribution to carry out the design.

4 Experimental Verification Design Due to the special nuclear sites and equipment involved, it is necessary to take a variety of experiments to verify the basic model of online monitoring system. In view of the independence of the system, this paper presents but is not limited to the following tests: 4.1 Radiation Performance Test The radiation performance test is based on industry standards or national standards, but it is basically carried out according to the following contents: • • • •

Energy response Angle response Resolution Response time

4.2 Environmental Experiment According to relevant standards, environmental experiments are carried out in accordance with the following contents: • Temperature adaptability • Electromagnetic compatibility • Radiation environmental adaptability 4.3 Reliability Experiment According to the requirements of the online monitoring system, the reliability index proposed by the design is evaluated experimentally. • Reliability analysis and evaluation • Reliability test 4.4 Maintainability Experiment According to the requirements of the online monitoring system, the maintainability is tested.

Basic Model Design of Online Monitoring System for Mixed Radiation Field

29

5 Application Demonstration Design It is necessary to carry out the application demonstration of typical scenarios to test its application effect after the mixed radiation filed online monitoring system is designed and manufactured. The following factors need to be considered in the application demonstration design: 5.1 Representative Application of Demonstration The demonstration application scenario should be a typical mixed radiation field scenario, which can cover the measurement requirements of each functional module of the basic model of online monitoring system. Moreover, the application scenario has many parallel occasions, which can meet the conditions of mass promotion after the demonstration application. 5.2 Evaluability of Demonstration Application During the demonstration application period, the basic model system should have evaluable conditions in operation state and various performance indexes, so as to be able to conduct a credible comprehensive evaluation on the basic model system of the demonstration application and provide data support for verifying its performance and subsequent promotion.

6 Conclusion In order to meet the needs of online monitoring of mixed radiation field, this paper presents a basic model design of online monitoring system of mixed radiation field and its related technologies and verification approaches. This study provides a basic reference for the establishment of the basic model of online monitoring system for mixed radiation field and the design of a series of products.

Duty Ratio Restriction Strategies of Space Vector PWM for Power Amplifiers of AMBs Chun-Yi Wang, Kai Zhang(B) , and Yang Xu Department of Engineering Physics, Tsinghua University, Beijing, China [email protected]

Abstract. The performance of power amplifiers for active magnetic bearings (AMB) is closely related with their main power circuits and control algorithms used. A three-phase bridge circuit is selected as a main power circuit of an AMB power amplifier. Through a space vector pulse width modulation (SVPWM) algorithm, two electromagnet coils can be driven simultaneously by the three-phase bridge circuit. However, when the coil current command signal for the amplifier fluctuates sharply, a specially designed duty ratio restriction strategy is required. In this paper, two duty ratio restriction strategies, which are Period Bisection Strategy and Proportional Reduction Strategy, are proposed for the situation that the coil current command signal exceeds the tracking range in one PWM period. Experiments show that when the change rate of the coil current command signal is large, the Proportional Reduction Strategy makes the distortion of the current in each coil (i.e. the difference between the required current change and the actual current change in one PWM period) proportional to the change rate of the command signal. And the Period Bisection Strategy significantly reduces or even eliminates the distortion of the current in the coil with a slower change rate of the command signal, but at the cost of increasing the distortion of the current in the coil with a faster change rate of the command signal. Keywords: Power amplifier · Three-phase bridge circuit · SVPWM · Duty ratio restriction strategies

1 Introduction In recent years, with the development of science and technology, the improvement of the performance of rotating machinery is urgent need to increase rotor speeds. Active magnetic bearings (AMB) have become a research hotspot. They have important applications in flywheels, aerospace, medical equipment, turbomachinery and other fields [1–3]. A power amplifier is an important component of an AMB closed-loop system. It provides current to electromagnet coils, and controls the current to track the command signals given by the controller in real time. The performance of power amplifiers for AMB is closely related with their main power circuits and control algorithms used. At present, the main power circuit used by the power amplifier is a half-bridge circuit or a full-bridge circuit. The article proposed a novel scheme of power amplifiers for AMBs © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 30–44, 2021. https://doi.org/10.1007/978-981-16-3456-7_5

Duty Ratio Restriction Strategies of Space Vector PWM

31

using a three-phase bridge circuit and space vector pulse width modulation (SVPWM) [4]. This scheme reduces the number of MOSFETs in a main power circuit and has the advantages of low current ripple and high reliability. The article discussed the current tracking range in one PWM period (“tracking range” for short), but did not give a method to deal with the command signal out of the tracking range. When the command signal fluctuates sharply, it will exceed the tracking range of the power amplifier. Therefore, a duty ratio restriction strategy need to be designed to prevent the total charge and discharge time from being greater than one PWM period T. Different duty ratio restriction strategies have different effects on the performance of a power amplifier. For this reason, two ratio restriction strategies are proposed in this paper: Proportional Reduction Strategy and Period Bisection Strategy. When the current command signal exceeds the tracking range, the Proportional Reduction Strategy is proposed to make the distortion of the current in each coil (i.e. the difference between the required current change and the actual current change in one PWM period) proportional to the change rate of the command signal. This strategy keeps the total charge and discharge time in one PWM period T by compressing the charge and discharge time of the two coils in equal proportions. For another requirement, when the command signal exceeds the tracking range, the Period Bisection Strategy is proposed to reduce or even eliminate the distortion of the current in the coil with a slower change rate of the command signal. This strategy keeps the total charge and discharge time in one PWM period T by reducing the charge and discharge time of the coil with a faster change rate of the command signal, which minimizes the change of the charge and discharge time of the coil with a slower change rate of the command signal. In this paper, the SVPWM control strategy and two ratio restriction strategies are implemented through the state machine of a FPGA. The effect of the two ratio restriction strategies has been compared and verified by experiments.

2 Power Amplifier for AMBs A power amplifier receives command signals and outputs current proportional to the command signals to electromagnet coils. So it can make the current in the electromagnet coils track the command signals. The diagram of a two inputs and two outputs power amplifier is shown below. In Fig. 1, the input command signals of the power amplifier are two analog voltage signals cmd1 and cmd2, and the output ends are connected to two coils L1, L2. Let the amplification factor of the power amplifier be α. Then according to the command signals, the desired output current of the power amplifier are α*cmd1 and α*cmd2. The actual current i1 and i2 in the coils L1 and L2 are measured by Hall sensors. Then, the current error Is between the current required by the command signal and the actual current in the coil are: I1 = α ∗ cmd1 − i1

(1)

I2 = α ∗ cmd2 − i2

(2)

32

C.-Y. Wang et al.

cmd1

L1 power amplifier L2

cmd2 Fig. 1. Diagram of a power amplifier

I is the required current change in one PWM period. In order to track the command signal exactly, I should be less than the driving capability limit of the power amplifier. When ignoring the coils’ internal resistance, the coils can be viewed as ideal inductors. The relationship between voltage and current in an inductor is: u=L

di dt

(3)

With integration on both sides, the relationship between the current change and voltage is:  1 t2 I = udt (4) L t1 In order to simplify the control, the power amplifier charges and discharges the coil by applying a constant voltage across the coil. It controls the current change in the coil by controlling the duration of the voltage. The above equation becomes: I =

1 VTV L

(5)

V is the voltage applied across the coil, and TV is the duration of the voltage.

3 The Principle of SVPWM of Three-Phase Bridge Circuit In article [4–6], an integrated main power circuit for a switching power amplifier, as shown in Fig. 2, is discussed. It has three arms that can drive two electromagnet coils simultaneously. Three-phase bridge circuits are integrated in highly integrated power modules such as IPM modules. Such integrated components are widely available in the market.

Duty Ratio Restriction Strategies of Space Vector PWM T1

T2

S1

T3

S2

U

S3

L1

L2

+ V1 T4 S1'

33

+ V2 T5 S2'

T6 S3'

Fig. 2. Three-phase bridge circuit

As shown in Fig. 2, the three-phase bridge circuit has three arms. T1–T6 are 6 MOSFETs. L1 and L2 are two electromagnet coils. The bus voltage is U. The upper arms are controlled by three control signals S1, S2 and S3 which are generated by a power amplifier. The lower arms are controlled with the inverted signals of their corresponding upper arms. Each control signal S has two states: 0 and 1. The MOSFET turns on when the control signal is 1 and shuts down when the control signal is 0. So there are eight states in the circuit. The voltage applied to each coil in the eight states A0–A7 is shown in Fig. 3. The values in parentheses are S1–S3. The horizontal axis is the voltage applied on L1 and the vertical axis is the voltage applied on L2. The voltage multiplied by the duration represents the current change in one PWM period.

Fig. 3. Voltage state vector distribution diagram

34

C.-Y. Wang et al.

Any current change I can be obtained by multiplying the time by its two adjacent state vectors with special proportions. Assume that the state vectors adjacent to I are − → − → Ai and Aj , and the corresponding durations are ti and tj . When both coils have the same inductance as L, according to the Eq. (5), the calculation relationship between them is: 1− 1− → → I = Ai ti + Aj tj L L

(6)

Among them 



I = (α ∗ cmd1 − i1)V 1 + (α ∗ cmd2 − i2)V 2

(7)

Assume that one PWM period is T and the time without charge and discharge is t0 . t0 is the duration of zero voltage state vector A0 or A7. t 0 = T − ti − tj

(8)

When I is in Zone I as shown in Fig. 3, I can be composed of A1*t1/L and A2*t2/L. There are: 



(α ∗ cmd1 − i1)V 1 + (α ∗ cmd2 − i2)V 2 =

1− 1− → → A1 t1 + A2 t2 L L

(9)

− → A1 = U V 1

(10)

− → A2 = U V 2

(11)





Therefore t1 =

L (α ∗ cmd 1 − i1) U

(12)

t2 =

L (α ∗ cmd 2 − i2) U

(13)

Similarly, the duration of each voltage state vector in other zones can be calculated, as shown in Table 1: Table 1. Duration of each voltage state vector in each zone Zone A1

A2

A3 A4 0

A5

A6 A0/A7

I

x

y

0

0

0

T-x-y

II

0

y+x -x

0

0

0

T-y

III

0

0

y

-x-y 0

0

T+x

IV

0

0

0

-x

-y

0

V

0

0

0

0

-y-x x

T+y

VI

x+y 0

0

0

0

T-x

-y

T+x+y

Duty Ratio Restriction Strategies of Space Vector PWM

35

In Table 1, x and y can be calculated by: x = (α ∗ cmd 1 − i1) ∗ β

(14)

y = (α ∗ cmd 2 − i2) ∗ β

(15)

Among them β=

L U

(16)

After calculating the duration of each voltage state, three control signals S1, S2 and S3 can be given according to the states of S1, S2 and S3 in each voltage state. A scheme using 7 voltage states (A0, A7 choose one) is called 7 operating points scheme. We can use a scheme with only 5 voltage states (A1, A2, A4, A5, A0/A7) which is called 5 operating points scheme. Because the tracking range of the 7 operating points scheme is larger than that of the 5 operating points scheme, this paper mainly discusses the 7 operating points scheme.

4 Two Duty Ratio Restriction Strategies In one PWM period T, it is required that: t i + tj ≤ T

(17)

It is equivalent to limit t0 , the duration of zero voltage state vector A0 or A7. t 0 = T − ti − tj ≥ 0

(18)

According to the Inequality (18) and Table 1, the restricted range of x and y, which is the tracking range of the power amplifier, is shown in the shaded section of Fig. 4. Roman numbers represent the zone numbers in Table 1. I1 and I2 calculated by Eq. (1) and (2) are the required current changes in one PWM period. I1 = α ∗ cmd1 − i1

(1)

I2 = α ∗ cmd2 − i2

(2)

x and y are calculated by Eq. (14) and (15): x = (α ∗ cmd 1 − i1) ∗ β

(14)

y = (α ∗ cmd 2 − i2) ∗ β

(15)

The actual current changes in one PWM period are: i1 = x/β

(19)

36

C.-Y. Wang et al.

Fig. 4. The tracking range of the 7 operating points scheme

i2 = y/β

(20)

So when x and y are within the shaded section of Fig. 4, i is equal to I, which means the command signals are tracked exactly. But when the load changes abruptly or other special circumstances occur, the change of cmd1 or cmd2 in one PWM period, which is the change rate of cmd1 or cmd2, will be so large that x and y will be out of the restricted range. x and y which are the PWM duty ratios should be limited to ensure the Inequality (18) holds. Therefore, the actual current change i is smaller than the required current change I. The current in the coils is distorted. Different schemes of limiting x and y, which are different duty ratio restriction strategies, have different effects on the performance of a power amplifier. Based on different requirement, two duty ratio restriction strategies are proposed in this paper. 4.1 Proportional Reduction Strategy The purpose of the Proportional Reduction Strategy is to make the distortion of the current in the coil with a faster change rate of the command signal bigger and make the distortion of the current in the coil with a slower change rate of the command signal smaller, when x and y are out of the restricted range. That is, the distortion of the current in each coil (i.e. the difference between the required current change and the actual current change) is proportional to the change rate of the command signal (it can be represented by x or y). x and y calculated by Eq. (14) and (15) are limited to x and y by the Proportional Reduction Strategy. So it is required that: y − y x − x = x y

(21)

In the first quadrant, it is required that: x + y = T

(22)

Duty Ratio Restriction Strategies of Space Vector PWM

37

Therefore x ∗T x+y y ∗T y = x+y

x =

(23) (24)

So x and y can be viewed as multiplying x and y by a factor k which is less than 1. k=

T x+y

(25)

Figure 5 illustrates the Proportional Reduction Strategy. Arrows indicate the scheme of limiting x and y. In the first quadrant, multiplying x and y by a factor k is equal to sliding (x,y) along the line between the point (x,y) and the origin to the intersection (x ,y ) of the line and the boundary of the shaded range. (x ,y ) after restriction is circled in red. The second and fourth quadrants are divided into 3 regions respectively.

Fig. 5. Proportional reduction strategy diagram

In zone i, we can make x and y within the shaded region by only limiting x to x = −T and keeping y constant. Even a decrease in y doesn’t make the change in x smaller. So the change in x and y are both minimal. That is, this scheme minimizes the distortions of the current in both L1 and L2. In zone iii, keep x constant and limit y to y = T, which is similar to the scheme in zone i. In zone ii, limit x to x = −T and y to y = T to minimize the change in x and minimize the change in y. This scheme minimizes the distortions of the current in both L1 and L2, so it is an optimal duty ratio restriction in zone i, ii and iii. Although Eq. (21) is not satisfied, the current distortion is minimized. Restriction schemes for the third and the fourth quadrants can also be obtained by the same way. The Proportional Reduction Strategy is shown in Table 2.

38

C.-Y. Wang et al. Table 2. Proportional reduction strategy

Zone

Before restriction

Restriction strategy

x > 0, y > 0

x+y T

x = x, y = y x = x/(x + y) ∗ T , y = y/(x + y) ∗ T

x < 0, y > 0

x, y

x = −min(−x, T ), y = min(y, T )

x > 0, y < 0

x, y

x = min(x, T ), y = −min(−y, T )

x < 0, y < 0

−x − y < T −x − y > T

x = x, y = y x = −x/(x + y) ∗ T , y = −y/(x + y) ∗ T

4.2 Period Bisection Strategy The purpose of the Period Bisection Strategy is to minimize the distortion of the current in the coil with a slower change rate of the command signal is slower when the change rate of the other command signal is so fast that x and y are out of the restricted range. Figure 6 illustrates the Period Bisection Strategy. Arrows indicate the scheme of limiting x and y. (x , y ) after restriction is circled in red. Zones out of the tracking range are divided into 12 sections.

Fig. 6. Period bisection strategy diagram

The optimal duty ratio restriction in zone i, ii and iii is given in Sect. 4.1. It also satisfies the purpose of the Period Bisection Strategy, which make the change of the smaller of x and y minimum or even zero to minimize the distortion of the current in the coil with a slower change rate of the command signal. In zone iv, v, vi (the upper right of zone I), we can decrease only x or decrease only y or decrease both x and y to keep x and y being in the shaded region. In order to minimize the distortion of the current whose change rate of the command signal is slower, we try to keep the smaller of x and y constant and decrease the larger one. But we can’t

Duty Ratio Restriction Strategies of Space Vector PWM

39

determine which of x and y causes the distortion by just comparing x and y, because it could be caused by both x and y being large. Therefore, we need to find a reference to determine whether x or y is too large to cause a distortion. According to Table 1, in Zone I: x + y + t0 = T

(26)

According to Eq. (19) and (20), x and y represent the current changes in L1 and L2 in one PWM period, respectively. When the required current changes in L1 and L2 are both out of the restricted range, in order to make the status of two coils equal, the actual current changes of two coils should be the same, that is: i1 = i2

(27)

According to Eq. (18), (19), (20), (26) and (27), we have: x = y = T/2

(28)

Therefore, we use T/2 as a reference to determine if x or y is too large. In zone iv, x is smaller than T/2. We think that the out of restricted range of x and y is only caused by y being too large. So keep x constant and limit y to y = T − x. This avoid the distortion of the current in the coil L1 whose required current change in one PWM period is small, that is, whose change rate of the command signal is slower. In zone vi, y is smaller than T/2. So keep y constant and limit x to x = T − y similarly in zone iv. In zone v, both of x and y are larger than T/2. This means the required current changes in L1 and L2 in one PWM period are both too large. According to the Eq. (28), limit x to x = T/2 and y to y = T/2. Restriction schemes for the lower half plane can also be obtained by the same way. The Period Bisection Strategy is shown in Table 3. Table 3. Period bisection strategy Zone

Before restriction

Restriction strategy

x > 0, y > 0

x+y T, x < T /2 x + y > T, y < T /2 x > T /2,y > T /2

x = x, y = y x = x, y = T − x

x < 0, y > 0

x, y

x’ = −min(−x, T ), y = min(y, T )

x > 0, y < 0

x, y

x = min(x, T ), y = −min(−y, T )

x < 0, y < 0

−x − y < T −x − y > T, −x < T /2 −x − y > T, −y < T /2 x > T /2, y > T /2

x = x, y = y

x = T − y, y = y x = T /2,y = T /2

x = x, y = −T − x x = −T − y, y = y x = −T /2, y = −T /2

40

C.-Y. Wang et al.

4.3 Comparison of Two Duty Ratio Restrictions Because restriction schemes for the lower half plane are similar to the upper half plane and the Proportional Reduction Strategy and the Period Bisection Strategy are the same in the second quadrant, we just focus on the first quadrant. Figure 7 illustrates the differences between two duty ratio restrictions in the first quadrant. The red arrows represent the Proportional Reduction Strategy. The blue arrows represent the Period Bisection Strategy.

Fig. 7. The differences of two duty ratio restrictions in the first quadrant

In zone iv, v and vi, the change in the smaller of x and y for the Period Bisection Strategy is smaller than that for the Proportional Reduction Strategy, while the change in the larger of x and y for the Period Bisection Strategy is larger than that for the Proportional Reduction Strategy. It means that, compared with the Proportional Reduction Strategy, the Period Bisection Strategy reduces or even eliminates the distortion of the current in the coil with a slower change rate of the command signal, but it increases the distortion of the current in the coil with a faster change rate of the command signal.

5 Digital Implementation of Power Amplifier Control Algorithm The circuit mainly consists of drive circuit, a three phase bridge circuit, Optical isolation devices, a dead-zone circuit, Hall current sensors, AD chips and a FPGA chip. The Hall sensors are used to measure the current in the electromagnet coils with electrical isolation. AD chips convert current and command signals into digital signals and pass them to the FPGA. The control signals S1, S2, S3 are determined by the SVPWM algorithm running in the FPGA. The optical isolation devices are used to reduce signal interference. The dead-zone circuit is used to prevent the shoot-through phenomenon in the bridge arms. The driving circuit is used to drive the three phase bridge circuit. The main hardware structure is shown in Fig. 8.

Duty Ratio Restriction Strategies of Space Vector PWM

cmd1 cmd2

AD

FPGA

S1 S2 S3

dead-zone circuit

opcalcoupler

41

driver circuit

L1 i1 i

Hall sensor

+

-

three-leg circuit

L2 i2 i

Hall sensor

+

-

Fig. 8. Main hardware structure

The modules in FPGA are shown in Fig. 9.

i1 i2

AD

cmd1 cmd2

AD driver

FPGA SVPWM generator

S1 S2 S3

Fig. 9. The module in FPGA

FPGA includes two modules: an AD driver module and a SVPWM generator module. The AD driver module is responsible for communication with the ADs to sample the current and command signals. The SVPWM module generates three control signals S1, S2, S3 according to the SVPWM algorithm and the duty ratio restriction strategies described above.

6 Experiments of Two Duty Ratio Restriction Strategies 6.1 Normal Tracking Experiment To test the power amplifier tracking performance when the command signal is in the tracking range, two command signals were used in the experiments. The first command

42

C.-Y. Wang et al.

signal had a frequency of 200 Hz, a peak value of 2.5 Vpp and an offset voltage of 2 Vdc; the second command signal had a frequency of 500 Hz, a peak value of 3.3 Vpp and an offset voltage of 2 Vdc. The effects of the Proportional Reduction Strategy and the Period Bisection Strategy are shown in the diagrams of Fig. 10 a) and Fig. 10 b), respectively. The orange curve on the top of each diagram is the first command signal and the blue curve is the current waveform measured by the Hall sensor for the first coil L1. The purple curve on the bottom of each diagram is the second control signal and the green curve is the current waveform for the second coil L2.

Fig. 10. Waveform of the proportional reduction strategy (left) and the period bisection strategy (right) when command signals are in the tracking range

The experiment shows that, when the command signals are within the tracking range, the Proportional Reduction Strategy and the Period Bisection Strategy both have good tracking performance. The tracking waveforms are not distorted. The two strategies have the same tracking performance because the strategies do not limit the duty ratio when the command signals are within the tracking range. 6.2 Compare of Two Duty Ratio Restriction Strategies When Command Signals Exceed the Tracking Range To test the power amplifier tracking performance and difference when the command signal exceeds the tracking range, keep the first command signal unchanged and increase the frequency of the second command signal. The first command signal had a frequency of 200 Hz, a peak value of 2.5 Vpp and an offset voltage of 2 Vdc; the second command signal had a frequency of 1000 Hz, a peak value of 3.3 Vpp and an offset voltage of 2 Vdc. The effects of the Proportional Reduction Strategy and the Period Bisection Strategy are shown in the diagrams of Fig. 11 a) and Fig. 11 b), respectively. The orange curve on the top of each diagram is the first command signal and the blue curve is the current waveform measured by the Hall sensor for the first coil L1. The purple curve on the

Duty Ratio Restriction Strategies of Space Vector PWM

43

Fig. 11. Waveform of the proportional reduction strategy (left) and the period bisection strategy (right) when command signals exceed the tracking range

bottom of each diagram is the second control signal and the green curve is the current waveform for the second coil L2. The command signal is out of the tracking range because the change rate of the second command signal is too fast. The distortion of the current is inevitable. The duty ratio restriction strategies come into play. By the Proportional Reduction Strategy, the distortion of the current in the first coil with a slower change rate of the command signal is lower than that in the second coil. The distortion of the current is approximately proportional to the change rate of the command signal. By the Period Bisection Strategy, it is ensured that the distortion of the current in the first coil with a slower change rate of the command signal is almost eliminated, though the distortion of the current in the second coil with a faster change rate of the command signal is slightly increased.

7 Conclusions In this paper, the SVPWM algorithm for the three-phase bridge circuit is implemented by the FPGA. The power amplifier tracking performance is good. For cases the change rate of the command signal is out of the tracking range, two duty ratio restriction strategies, which are the Period Bisection Strategy and the Proportional Reduction Strategy, are proposed in this paper. The effect of the two strategies has been verified by experiments. The Proportional Reduction Strategy makes the distortion of the current in each coil proportional to the change rate of the command signal. The Period Bisection Strategy significantly reduces or even eliminates the distortion of the current in the coil with a slower change rate of the command signal at the cost of a small increase in the distortion of the current in the coil with a faster change rate of the command signal.

44

C.-Y. Wang et al.

References 1. Zhang, K., et al.: Application of active magnetic bearings in flywheel systems. Energy Storage Sci. Technol. 7(5), 783–793 (2018). (in Chinese) 2. Maslen, E.H., et al.: Magnetic Bearings—Theory Design and Application to Rotating Machinery. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00497-1 3. Qian, K.X., et al.: Improved design of permanent maglev impeller assist heart. J. Biomed. Eng. 19(4), 593–595 (2002). (in Chinese) 4. Yim, J., et al.: A novel cost-effective scheme of power amplifier for AMBs using space vector technology. In: Proc. 8th ISMB (2002) 5. Han, F.J., Fang, J.C., Liu, G.: Design and implementation of SVPWM switching power amplifiers for active magnetic bearing. Trans. China Electrotech. Soc. 24(5), 125–130 (2009). (in Chinese) 6. Tian, X.H., Fang, J.C., Liu, G.: Magnetic bearing switching power amplifier based on SVPWM control. Syst. Eng. Electron. 30(8), 1598–1602 (2008). (in Chinese)

Research and Application of 3D Real-Time Simulation Technology for Thermal and Hydraulic Mechanism in Nuclear Power Plant Zheng-Hui Yang(B) , Hao Wang, and Yi Zhang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong Province, China

Abstract. The nuclear power plant simulator displays the thermal-hydraulic conditions of nuclear power plant in 2D. To enhance the 3D effect of the thermalhydraulic display of nuclear power plant, the real-time simulation of thermalhydraulic mechanism of nuclear power plant is studied based on 3D visualization. Firstly, a 3D model is established that can express thermal-hydraulic characteristics; secondly the real-time data is connected to the simulator through a program interface; finally Unity3d is used to integrate the 3D model with the received data in real time, and display it in a data-driven 3D model. At the same time, taking the primary circuit equipment of a nuclear power plant as an example, a 3D visual test is carried out on the thermal-hydraulic mechanism of temperature, pressure, and flow rate. The results show that this method can well display the thermal-hydraulic mechanism in 3D, providing a new idea about the training of nuclear power plant personnel. Keywords: Simulator · Thermal-Hydraulic · Real-time simulation

1 Introduction The operation of nuclear power facilities requires high human reliability, and the simulation of accident conditions of nuclear power facilities is a necessary part of operator training [1]. At present, the most important and direct method of this training is to use the nuclear power plant simulator to complete it. The simulator can enable the nuclear power plant operators to master the analysis and processing skills of various operating conditions of the nuclear power plant. But, when the simulator simulates the operating conditions of nuclear power plant, it is displayed through 2D pictures. It cannot visualize the change process of thermal-hydraulic phenomena, and lacks intuitive and 3D visual effects. Moreover, it is used by nuclear power plant operators and has strong professionalism, which makes it difficult to prove and analyze the thermal-hydraulic mechanism to new employees and non-operators. This paper adopts VR technology to view nuclear power equipment in a 3D environment, and displays the operation simulation of various phenomena such as temperature, © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 45–54, 2021. https://doi.org/10.1007/978-981-16-3456-7_6

46

Z.-H. Yang et al.

pressure and flow rate of nuclear power equipment in a 3D dynamic virtual way. The thermal-hydraulic model can be connected with the data onto the simulator in real time, thus realizing the real-time dynamic simulation of nuclear power thermal-hydraulic in 3D visualization. The system can reproduce the operation of the system under various conditions of the power plant, and it provides a 3D visualization method for the simulator training, so as to enhance the 3D perception of trainers and improve the training effect.

2 Virtual Reality Technology and Application Great changes have taken place in today’s world industry, and the advanced science has shown great power, especially VR is carrying out an unprecedented revolution to industry [2]. VR is defined as a set of technologies and a technical system integrating users and computing has been developed. Its goal is to give users a feeling of living in a virtual world in real time through advanced interfaces. So VR can be regarded as an experience of users and Computerized System in 3D. Due to the characteristics of immersion, interactivity and conception of virtual reality [3], this technology has been widely used in all aspects of industry by large enterprises in the world. It has played an important role in improving development efficiency, strengthening data collection, analysis-processing capabilities, reducing decision-making mistakes and reducing enterprise risks. Similarly, it has played an important role in information exchanges, generation, operation and management decisions in the nuclear power industry. This foreign research and application started early. O.Fridtjov studied the application of virtual reality of nuclear power plant accident management [4]. I. Yukihiro et al. [5] developed a radiation dose assessment system based on virtual reality technology in the decommissioning engineering support system of Fugen nuclear power plant in Japan. G. Romero et al. [6] developed a substation virtual reality simulation system. At present, a lot of domestic researches have been conducted in this field, and certain results have been achieved. Zhao Pengcheng had realized the application of virtual maintenance training for nuclear power plant by VR [7]. Ma Jianming used VR technology to research and apply nuclear power plant accident emergency response [8]. Chen Ming conducted a preliminary 3D visualization study of nuclear power plant simulator based on Unity3d [9]. The above cases show that using 3D digital virtual simulation technology to build digital factory applications for the nuclear energy industry, providing multi-person online interactive training function, and implementing visual demonstration, guided operation and open and free operation management modes can effectively solve the problems faced by nuclear energy enterprises.

3 System Implementation 3.1 Design Idea The design idea of the whole system is mainly shown in Fig. 1. The whole design phase includes 3D modeling, real-time data processing, data driving and 3D visual interaction.

Research and Application of 3D Real-Time Simulation Technology

47

Fig. 1. System design module

3.2 Technical Framework The system development process involves 3D model building and processing, simulator data docking, database connection, Unity data real-time drive, Unity 3D visualization development, cross-platform publishing and other technical contents. According to the development process, the technical framework adopted by the system is shown in Fig. 2.

Fig. 2. System technical framework

48

Z.-H. Yang et al.

3.3 Thermal Hydraulic Modeling Construction and Processing of Foundation Model. In this system, PDMS and ProE are used to build the layout model of nuclear Power-Loop system and the mechanical models of RPV, SG and other equipments. As we all know, Unity native supports importing standard polygon formats such as Obj, FBX, 3ds, etc. [10], but it cannot directly import industrial models created by PDMS and Pro-E. In the past workflow, it is necessary to use 3DMAX and other tools to carry out manual optimization to adjust model wiring and vertex topology. This paper studies the use of PiXYZ Plugin for Unity to import the industrial digital model built by PDMS and Pro-E. It can automatically optimize the model, and ensure that the model runs smoothly in the engine and restores highly the real scene to improve application performance. Construction of Thermal-Hydraulic Characteristic Shader. The shader with thermal-hydraulic characteristics is constructed by using shader editor ShaderForge. Liquid disturbance is mainly formed into shader texture superposition and UV offset, and color to value change is controlled through node parameter adjustment, thus realizing temperature and pressure color change, bubble generation, flow and bursting, etc. Finally, the quality of the coloring equipment is endowed with the model grid renderer to complete the establishment and rendering of the thermal-hydraulic 3D model. To sum up, the whole thermal-hydraulic modeling process of the system is shown in Fig. 3.

Fig. 3. Schematic diagram of thermal hydraulic modeling process

3.4 Real-Time Analog Data Processing The data of simulator is the data support of thermal-hydraulic 3D real-time dynamic simulation system. The data interface system is a transit system that connects the visualization system and the simulator. This part serves as the background data interface of the entire system. It aims at sending real-time data generated by the simulator to the data driving model module through the designated protocol. so as to ensure that the data of simulator can drive the thermal-hydraulic 3D model on time. The simulator can export the data such as pressure, temperature, flow rate in real time through internal functions and stores them in Excel tables. Due to the large amount of information such as multi-tables and multi-fields of exported data, the system needs

Research and Application of 3D Real-Time Simulation Technology

49

to use programs to filter, simplify and fuse various data, and store the fused data in the database for the 3D engine program to call. The final data structure is shown in Table 1. Table 1. Real-time Visualization Data Structure of Thermal Hydraulic System Name

Temperature Pressure

Velocity of flow

130101010 423.842

1.74065E + 07 5778.5

130101020 423.851

1.74165 E + 07 5778.79

130101030 423.860

1.74266E + 07 5778.77

130101040 423.869

1.74366E + 07 5778.77

130101050 423.877

1.74467 E + 07 5778.66

130101060 423.886

1.74566 E + 07 5781.26

The flow of real-time data processing of the simulator is shown in Fig. 4.

Fig. 4. Real-time data processing flow of simulator

Due to the variety of data types exported by the received simulator, the amount of data is huge. This system screens for the data related to thermal-hydraulic through the VSTO plugin program of Excel and stores them in the database, thereby greatly reducing the data capacity, avoiding data blocking, and improving the data validity and retrieval efficiency. The data stored in the database is regularly read into the data queue of WebService for the 3D engine program to call, thus improving the data independence. 3.5 Data Driven Model The main function of this part is to receive the transmitted real-time data and drive the real-time changes of the thermal-hydraulic 3D model. Its data access and driving process is shown in Fig. 5. Its greatest feature is to convert the acquired real-time data of the simulator into JSON format data for the 3D engine to call. JSON data has the

50

Z.-H. Yang et al.

characteristics of more efficient transmission and analysis [11, 12]. The correlation between simulator data and 3D model is realized through JSON lightweight data driven, which can effectively to improve the refresh frequency of Unity read data, thus ensuring smooth real-time picture of data drives model.

Fig. 5. Data Drive Module Design Flow Chart

The specific implementation steps of the module are as follows: (1) Reading data onto the database through the Web Service interface and converting the data object to JSON format through the serialization interface. (2) Parsing and restoring the converted JSON data through litJson library at the end of Unity3d 3D engine. (3) The analyzed data are bound to the node parameters on the thermal-hydraulic 3D model according to their respective attribute types, and the binding drives the node parameters on the 3D model to change in real time, thus achieving the 3D real-time dynamic change simulation of the thermal-hydraulic model. Because it involves thermal-hydraulic real-time simulation of multiple physical characteristics inside different equipment, it is necessary to classify the acquired real-time data and match and associate the parameters of corresponding model shader nodes. In thwill control the color change of different states through the values of node parameters. The correlation matching between the data and the model only needs to convert the acquired real-time data value into the value f (x) (0–1) through mathematical operation, and the conversion formulas such as (1), min and max which are the minimum and maximum values set by temperature, pressure and flow rate respectively. Finally, according to the conversion values in different intervals, corresponding parameter nodes can be given, thus realizing a universal shader template to simultaneously represent different thermal-hydraulic characteristics changes.  ⎧ ⎨ (value − min) (max − min), value ≥ min &&value ≤ max f(x) = (1) 0, value < min ⎩ 1, value > max

3.6 Dynamic Visualization Interaction The system not only completes the main function of thermal hydraulic real-time simulation, but also provides a convenient dynamic 2–3-D visual interactive operation mode.

Research and Application of 3D Real-Time Simulation Technology

51

It can present the thermal hydraulic real-time 3D dynamic simulation functions as all directions. 3D Models Interaction This paper expands and develops a set of standard Unity 3D interaction toolkit based on the conventional 3D interaction operation mode. Common operations such as flight roaming, panning, dragging, positioning, centering, looking around and highlighting the selected border can be easily realized by Keyboard mouse, as shown in Fig. 6.

Fig. 6. Interactive schematic of 3D model

2D Interface Interaction Navigation and Positioning with Tree Structure. The interface provides a hierarchical navigation tree that completely matches the model. Its function mainly establishes a 2D hierarchical tree that completely matches the internal structure of the 3D model. The structure tree and the 3D model can synchronously link navigation and positioning in both positive and negative directions. At the same time, it can realize the functions of

52

Z.-H. Yang et al.

displaying and hiding parts, positioning, centering, searching, etc., the interface shown in Fig. 7.

Fig. 7. Navigation tree interface

Dynamic Color Scheme. Since the system involves a variety of thermal-hydraulic characteristics, and the numerical value of these characteristic varies widely. The system uses UGUI to classify and differentiate the different characteristics. In order to make the display more intuitive and effective, the system adds transparent channel calculation, and it provides a dynamically configurable color scheme. Color matching values can be modified according to actual needs and reflected on the 3D model in real time. Its functional interface is shown in Fig. 8.

Fig. 8. Color scheme interface

Real-time Display of Data Status. When selecting the corresponding node or model, the system updates the corresponding model code name, temperature, pressure, flow rate in real time through the attribute interface. It makes intuitive matching comparison with the color depth of the 3D model through the parameter data. The interface diagram is shown in Fig. 9.

Research and Application of 3D Real-Time Simulation Technology

53

Fig. 9. Real-time display interface of parameter data

4 Application Status In order to verify the stability, reliability and smoothness of the system, it mainly simulates Reactor, Steam Generator and Pump, etc. It has many functions such as rotation, perspective and hiding. Through color, bubble, flow, burst values temperature, liquid level, flow velocity of the equipments. it can also values selected parameter. The specific application effect is shown in Fig. 10.

Fig. 10. Schematic diagram of system operation effect

The system has gradually started to run online. After completing 3D modeling, function development, data docking, installation, debugging and optimization, the system runs stably. The system was driven by model data and measured with precise size of

54

Z.-H. Yang et al.

power plant equipment. It used advanced 3D technology to display the physical parameters and states of the core and a Loop system, thereby presenting real-time, dynamic, high-definition and all-round 3D visualization effects of Nuclear Island system operation under different working conditions. Finally, it realized the dynamic display and analysis functions of the thermal-hydraulic mechanism.

5 Conclusion The system combines the simulator and the 3D dynamic thermal-hydraulic working condition display, and can demonstrate, analyze and train thermal-hydraulic phenomena. The simulation effect is realistic and the picture is novel. Dynamic visual effects are supported by background data onto various working conditions, covering complete working conditions. From the comprehensive comparison of simulation accuracy, working condition types and visual effects, the system has reached the domestic leading level, with advanced technology and good training value. The system can be used for personnel training to deepen the understanding of thermal-hydraulic phenomena and principles, and improve training effects.

References 1. Chen, X.: Simulation of Nuclear Power Plant accident conditions based on virtual reality technology. Enterprise Technol. Dev. 31(16), 85–86 (2012) 2. Gao-Qi, H., Kai-Lin, Y., et al.: Research on interactive display technology of energy station based on Unity3D. J. Syst. Simul. 28(10), 2626–2631 (2016) 3. Wei-Jian, R., Fei, T., Qing, Z., et al.: Research on simulation of oil field drilling system based on virtual reality technology. Sci. Technol. Eng. 11(13), 2981–2985 (2011) 4. Fridtjov, O.: Role of the man-machine interface in accident management strategies. Nucl. Eng. Des. 209, 201–210 (2001) 5. Yukihiro, I., Yoshiki, K., Mitsuo, T., et al.: Development of decommissioning engineering support system(DEXUS) of the Fugen nuclear power station. J. Nucl. Sci. Technol. 41(3), 367–375 (2004) 6. Romero, G., Maroto, J., Felez, J., et al.: Virtual reality applied to a full simulator of electrical sub-stations. Electr. Power Syst. Res. 78, 409–417 (2008) 7. Peng-Cheng, Z., Bo, P., Hao, Z.: Research on virtual maintenance training technology for nuclear power plants. Sci. Technol. Innov. Appl. 20, 60–61 (2015) 8. Jian-Ming, M.: Application of virtual reality technology in emergency response of nuclear power plant accidents. Sci. Technol. Innov. Guide 07, 168 (2019) 9. Ming, C., Kun, Q.: Research on 3D visualization design of nuclear power plant simulator. Electron. Instrum. Custom. 26, 72–75 (2019) 10. Chun-Yan, L., Shaohua, L.: Analysis on the ways of importing Unity3d into several 3D model formats. New Technol. New Prod. China 03, 23–24 (2016) 11. Jian-Hua, G.: Application of JSON formatted data in web development. Office Inform. 264, 46–48 (2013) 12. Jing, G., Duan, H.: Research on data transmission efficiency of JSON. Comput. Eng. Des. 32, 2276–2270 (2011)

Research on Software Quality Evaluation Model of Instrument and Control System in Nuclear Power Plant Huan-Lin Chen(B) , Jian-Qiu Zhou, and Yan Li State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172, China [email protected]

Abstract. As the nerve center of nuclear power plant, the quality of digital instrument and control system is directly related to the stable, safe and efficient operation of nuclear power plant. At the same time, with the advancement of the independent research and development process of instrument and control system, it puts forward higher requirements in terms of security and reliability. It is very important to evaluate the software quality of instrument and control system scientifically and reasonably. Therefore, a software quality evaluation model suitable for nuclear power instrument and control system is proposed in this paper. On the basis of three-tier architecture, by restricting the relative importance of the two major indicators of security and reliability, the weight vectors of the indicators of each tier are calculated through consistency test. Then the experts grade all the indicators of the lowest tier one by one. Finally weighted sum is made from bottom to top to calculate the software quality score of the instrument and control system. The method presented in this paper plays a guiding role in the software quality evaluation of instrumentation and control system in nuclear power plant. Keywords: Instrument and control system · Evaluating indicator · Analytic hierarchy process

1 Introduction With the rapid development of information technology, the use of various software products in the field of industrial control is becoming more and more popular, and their status is becoming more and more important. As the nerve center of nuclear power plant, the Digital Control System (DCS) plays an important role in ensuring the safe, reliable and stable operation of nuclear power plant [1]. Especially in the process of localization of DCS in nuclear power plants, the design and development of DCS software products are characterized by heavy tasks, high accuracy and reliability requirement. The quality of DCS software directly affects the stable, safe and efficient operation of nuclear power plant [2]. Quality control in the process of localization is the premise of ensuring the quality of nuclear software [3].Therefore, it is urgent to evaluate the software quality of instrument and control system independently developed in nuclear power plant © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 55–63, 2021. https://doi.org/10.1007/978-981-16-3456-7_7

56

H.-L. Chen et al.

objectively, scientifically and efficiently. According to ISO/IEC 25010 software quality evaluation standard, a new quantitative evaluation model based on analytic hierarchy process is proposed in this paper [4].

2 Software Quality Evaluation Index Software quality evaluation, that is, the detection and measurement of software product quality characteristics, is based on the criteria of software quality evaluation, run through the software life cycle process, and implement in parallel with the software development process. It measures the software quality throughout and continuously in the software development process, and reveals the current state of software quality, and estimates the follow-up trend of software quality. It provides a powerful means of software quality quantitative management for the demander, developer and evaluator. Evaluators provide powerful means of quantitative software quality management to accurately control the quality of software products [5]. Software quality evaluation is a complex project. Because of the rapid development and updating of software technology, there is no unified evaluation standard at present. In recent years, McCall standard, Boehm standard, FURPS standard, Dromey standard, ISO 9126 standard and ISO/IEC 25010 standard are common software quality evaluation systems. Among them, the ISO/IEC 25010 standard is made progress from ISO 9126 standard. The quality attributes of software products are divided into eight characteristics, each of which is composed of a set of related sub-characteristics. The definition and division of these characteristics are detailed in Table 1. Table 1. Software quality characteristics and sub-characteristics Quality characteristics

Definition

Functional applicability It refers to the degree to which the software meets explicit and implicit requirements when the software is used under specified conditions

Sub-characteristics Functional correctness Functional integrity Functional fitness

Performance efficiency It refers to the amount of resources used by Time characteristic software under specified conditions and the Resource utilization rate degree to which performance is provided Capacity Compatibility

It refers to the degree to which software can exchange information, systems or components with other software and perform the required functions while sharing the same hardware or software environment at the same time

Coexistence Interoperability

(continued)

Research on Software Quality Evaluation Model

57

Table 1. (continued) Quality characteristics

Definition

Sub-characteristics

Easy to use

It refers to the degree to which software Identifiability can achieve specific goals effectively, Easy to learn efficiently and satisfactorily when it is used by specific users in a specific environment Maneuverability User error protection

Reliability

It refers to the degree to which software performs specified functions over a specified period of time and under specified conditions

Beautiful user interface Accessibility Maturity Effectiveness Fault tolerance Easy to recovery Security

It refers to the extent to which software can Confidentiality effectively prevent unauthorized access to Completeness source, target, or related data by others Anti repudiation Accountability Authenticity

Maintainability

It refers to the degree to which maintainers Modularization can modify the effectiveness and efficiency Reusability of software Easy to analysis Easy to modified Easy to test

Portability

It refers to the degree of effectiveness and Adaptability efficiency of software transferring from Easy to install one hardware, software, or other operating Substitutability or usage environment to another

Because of the particularity of the instrumentation and control system software in nuclear power plants, the software of different security levels must conform to the national and international standards. Especially its security and reliability must strictly comply with the requirements for IEC 60880-2006, IEC 62138-2004, IEC 61513-2011 and NUREG/CR 6101-1993 [6]. So in the process of studying DCS software quality evaluation model, security and reliability must be considered as key factors. In order to explain the process of quality assessment, this paper only establishes the software quality evaluation model of Instrument and Control System according to commercial software.

58

H.-L. Chen et al.

3 Software Quality Evaluation Model Based on Analytic Hierarchy Process When the software quality evaluation system is established, the qualitative indicators are basically established. The establishment of quantitative indicators requires a scientific and rational distribution of the weight of each evaluation index. Common weight allocation methods include expert estimation method, analytic hierarchy process, fuzzy inverse equation method, ring ratio method, entropy method, etc. This paper uses analytic hierarchy process to determine the weight of evaluation index. 3.1 Establishing Hierarchical Model According to the analytic hierarchy process, the ISO/IEC 25010 quality evaluation system standard is divided into three levels: total quality layer A, quality characteristic layer B and sub-feature layer C. Among them, the total quality layer is the final evaluation result; the quality characteristic layer is divided into eight characteristics: functional applicability, performance efficiency, compatibility, easy to use, reliability, security, maintainability and portability; the sub-feature layer includes 31 sub-features in Table 1. The hierarchical model is shown in Fig. 1.

Fig. 1. Hierarchical Structure Model of Software Quality Evaluation

3.2 Constructing Judgment Matrix In determining the weights of factors at different levels, if only the qualitative results, it is often not easy to be accepted by others, so Saaty et al. put forward the consistent matrix method, that is, not to put all factors together, but to compare two factors [7]. At this time, the relative scale is used to reduce the difficulties of comparing many factors of different nature, so as to improve the accuracy. For example, each element of the quality characteristic layer is compared in two ways and graded according to its relative importance. To quantify the results of the importance comparison among the elements, Table 2 lists nine importance levels given by Saaty and their assignments.

Research on Software Quality Evaluation Model

59

Table 2. Scaling and meaning of judgment matrix Scaling

Meaning

aij = 1

i index is as important as j index

aij = 3

i index is slightly more important than j index

aij = 5

i index is more important than j index

aij = 7

i index is obviously more important than j index

aij = 9

i index is absolutely more important than j index

aij = 2n, n = 1, 2, 3, 4 the importance of i index is between aij = 2n − 1 and aij = 2n + 1 in comparison with j index

 A matrix consisting of two or two comparisons is called a judgment matrix A = aij k×k , k is the number of indicators, as Formula 1. The matrix has the following characteristics: aij > 0, specifically, if index i is more important than index j, then aij > 1, whereas 0 < aij < 1; II) aij = 1/aji , if the relative importance of index i and index j is aij , then the relative importance of index i and index j is 1/aij ; III) aii = 1, the diagonal line of the matrix is 1. I)

⎡

a11 ⎢ a21 ⎢ A=⎢ . ⎣ ..

a12 a22 .. .

⎤ · · · a1k · · · a2k ⎥ ⎥ .. .. ⎥ . . ⎦

(1)

ak1 ak2 · · · akk

Considering the importance of security and reliability in the operation and maintenance of DCS software, it is necessary to add a restriction condition to construct the judgment matrix:apq > 5, index p ⊂ [Security, Reliability], index q ⊂ [Functional applicability, Performance efficiency, Compatibility, Easy to use, Maintainability, Portability]. 3.3 Computing Weight Vector The judgment matrix is obtained through comprehensive evaluation and decision-making by professionals and relevant experts according to the set principles. After the judgment matrix is established, the weight vector is calculated. Firstly, the Pi that means the element productof each line in matrix A is calculated: Pi = i = 1, 2, · · · , k;

k j=1

aij

(2)

60

H.-L. Chen et al.

Calculate the extraction of a root, vi is obtained:  vi = k Pi

(3)

i = 1, 2, · · · , k; By normalizing vi , wi is obtained: wi = vi /

k i=1

vi

(4)

i = 1, 2, · · · , k; W = [w1 , w2 , · · · , wk ]T Vector is the matrix weight vector required. 3.4 Checking consistency Since the judgment matrix is based on the expert’s independent judgment and is obtained by comparing the two indexes in the hierarchy, it is necessary to check the consistency of the judgment matrix. If the consistency requirement is not satisfied, the judgment matrix needs to be regenerated. The inspection steps are as follows: (1) Calculate the Si that means the sum of each column of elements in matrix A: Sj =

k i=1

aij

(5)

j = 1, 2, · · · , k; (2) Calculate the λmax that means the maximum eigenvalue of matrix A: λmax =

k i=j=1

wi Sj

(6)

(3) Calculate the Computational consistency test index CI: CI = (λmax − k)/(k − 1)

(7)

(4) Calculate the Computing Random Consistency Ratio CR: CR = CI/RI

(8)

RI is called the mean random consistency index. The specific values are shown in Table 3 [8]. When CR < 0.1, then the judgment matrix A has satisfactory consistency; otherwise, thejudgment matrix needs to be modified until it has satisfactory consistency. 3.5 Computing Comprehensive Score According to the above steps, the weight vectors W are calculated for eight indicators, such as functional applicability and compatibility, in the quality characteristic layer B. W = [w1 , w2 , · · · , w8 ]T

(9)

Research on Software Quality Evaluation Model

61

Table 3. Average random consistency index number table Matrix order RI 1

0

2

0

3

0.58

4

0.9

5

1.12

6

1.24

7

1.32

8

1.41

Then, in the sub-feature layer C, the weight vector Wm is calculated for each subfeature index subordinate to eight indexes, and each sub-feature is scored one by one, and the scoring vector is obtained, as shown in Table 4. T

Wm = wm1 , wm2 , · · · , wmq (10) 

Gm = gm1 , gm2 , · · · , gmq

(11)

q

i=1 gmi = 100, m = 1, 2, · · · , 8, q is the number of sub-properties under a certain mass characteristic.

Table 4. Weights and scores of indicators in layer B and C Quality characteristics

Weighted score

Sub-characteristics

Weight

Score

Functional applicability w1

t1 = G1 · W1

Functional correctness

w11

g11

Functional integrity

w12

g12

Functional fitness

w13

g13

Time characteristic

w21

g21

Resource utilization rate

w22

g22

Capacity

w23

g23

Coexistence

w31

g31

Interoperability

w32

g32

Identifiability

w41

g41

Easytolearn

w42

g42

Maneuverability

w43

g43

User error protection

w44

g44

Beautiful user interface

w45

Performance efficiency w2

Compatibility w3 Easy to use w4

t2 = G2 · W2

t3 = G3 · W3 t4 = G4 · W4

g45 (continued)

62

H.-L. Chen et al. Table 4. (continued)

Quality characteristics

Weighted score

Sub-characteristics

Weight

Score

Reliability w5

t5 = G5 · W5

Accessibility

w51

g51

Maturity

w52

g52

Effectiveness

w53

g53

Fault tolerance

w54

g54

Easy to recovery

w55

g55

Confidentiality

w61

g61

Completeness

w62

g62

Anti repudiation

w63

g63

Accountability

w64

g64

Authenticity

w65

g65

Modularization

w71

g71

Reusability

w72

g72

Easy toanalysis

w73

g73

Easy tomodified

w74

g74

Easy totest

w75

g75

Adaptability

w81

g81

Easy to install

w82

g82

Substitutability

w83

g83

Security w6

Maintainability w7

Portability w8

t6 = G6 · W6

t7 = G7 · W7

t8 = G8 · W8

So far, we can construct the scoring vector T of eight indicators in layer B, and calculate the final comprehensive score F of quality evaluation. T = [t1 , t2 , · · · , t8 ]

(12)

F = T · W

(13)

4 Concluding remarks In order to evaluate the software quality of DCS system in nuclear power plant scientifically and effectively, a new quantitative evaluation method and model based on analytic hierarchy process (AHP) is proposed according to ISO/IEC 25010 standard. The model constructs a judgment matrix of relative importance for each evaluation index, and assigns two high important values of security and reliability. Through consistency test, the weight vectors of each index are obtained. The lowest indexes are scored by experts one by one, and the weighted sum is made from bottom to top. Finally, the software quality score of DCS system is calculated. The quality evaluation model proposed

Research on Software Quality Evaluation Model

63

in this paper draws lessons from the traditional analytic hierarchy process and restricts the relative important value of some evaluation indexes. It conforms to the two high performance standards of DCS system for securityand reliability, and plays a guiding role in the software quality evaluation activities of instrument and control system in nuclear power plants.

References 1. Li, H.H., Shang, H.L.: Development and application analysis of digital instrument and control system in nuclear power plant. Sci. Technol. Innov. Appl. 19, 185 (2017) 2. Li, L.P., Yu, X.B.: Software development quality management of nuclear safety instrument and control system. Ind. Control Comput. 2013(08), 19–20 (2013) 3. Wu, X., Li, J.R., Zhou, L.: Quality control of domestic research and development of nuclear grade spare parts for instrument and control system of nuclear power plant. Instrum. Users 025(002), 66–70 (2018) 4. ISO/IEC 25010:2011: Systems and software engineering – Systems and software Quality Requirements and Evaluation (SQuaRE) – System and software quality models 5. Yang, A.M., Zhang, W.X.: Software quality and its quantitative evaluation method. Comput. Eng. Design 27(21), 3987 (2006) 6. Xiang, Y., Xu, Z., Wang, D., Lin, S.Q.: Software quality evaluation and management system for instrument and control system of nuclear power plant. Comput. Knowl. Technol. 13(6) (2017) 7. The Analytic Hierarchy Process, https://wiki.mbalib.com/wiki/AHP. Accessed 26 April 2020 8. Chen, G.D.: A new approach to the mean random consistency index. Syst. Eng. Theory Prac. 12(2) (1992)

The Security Based on Wireless Network in Nuclear Power Plant Dong Zhang(B) and Sheng-Yong Liao Beijing Institute of Nuclear Engineering I&C Division, China Nuclear Power Engineering Co., Ltd., Beijing 100086, China

Abstract. The wireless communication technology has been widely used in daily life, bringing great convenience to our lives. Its low cost, easy maintenance and high flexibility can also bring benefits to the nuclear industry [1]. This paper analyzes the wireless network application prospects and benefits in nuclear power plants. For the application of wireless networks in nuclear power plants, the security risks of wireless networks are introduced, and the specific requirements of domestic and foreign network security standards on the application of wireless networks in industrial fields are combed. Finally, the security protection strategies and recommendations of wireless networks in nuclear power plants are proposed. Keywords: Nuclear power plant · Wireless network · Security · Risk · Prevention

1 Application Background of Wireless Network in Nuclear Power Plant Industrial wireless technology is a hotspot technology in the field of industry. It is a revolutionary technology that reduces the cost of industrial control systems and improves the efficiency of industrial control systems [1]. Most industrial sites have complex factory buildings and many installation equipments, which make it difficult to lay cables, maintenance, and cost. Nuclear power plants also have the above problems, and wireless technology has the following advantages in solving the above problems: low cost, high reliability, easy maintenance, and high flexibility [2, 3]. Wireless technology has been used for audio and video communication, mobile inspection and personnel positioning in nuclear power plants, which has brought great convenience to the operation and maintenance of nuclear power plants. With the gradual maturity of wireless technology and the inevitable trend of industrial Internet development, the application of wireless technology in nuclear power plants will become more and more extensive. In response to the business needs of nuclear power plants, the application of wireless networks has the following benefits [4]: • Reduce operation and maintenance pressure and eliminate personnel injuries: reduce the pressure of personnel inspection and maintenance through video surveillance, mobile inspection and mobile maintenance technologies; © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 64–70, 2021. https://doi.org/10.1007/978-981-16-3456-7_8

The Security Based on Wireless Network in Nuclear Power Plant

65

• Prevent human errors: The smart technology and smart meters supported by the wireless network have more standardized operation, which can reduce the intervention of personnel and improve the standardization of operation. • Reduce the cost of power plant: After the wireless network is used to replace the wired network, the procurement cost of the wired cable can be reduced, and the laying cost and the maintenance cost at a later stage can be saved. • Optimizing design ideas: Wireless technology provides new methods for the design of power plants, which can be used to optimize the design ideas of power plants. Under the premise of meeting the standards and regulations, the design of power plants will be optimized, and smart nuclear power plants will be built in conjunction with internet technology. The application of wireless networks should meet the functional requirements of nuclear power plants and the particularity of application scenarios. These particularities include the following: • The influence of the radiation dose of part of the nuclear power plant on the wireless network; • The interaction between the electromagnetic interference of the wireless network and the existing equipment; • The network security risks of open wireless technology standards, including the network security of mobile terminals and mobile application; • The problem of wireless access to special closed room such as reactor buildings; • Ease of maintenance. Therefore, the wireless network should solve the above-mentioned matters and customize development accordingly before the application in nuclear power plants. This article will focus on introducing the network security risks of wireless networks, comparing and analyzing the standards and regulations of wireless network security in nuclear power plants, and proposing the precautions that need to be considered in the application of wireless networks in nuclear power plants.

2 The Security Risks of Wireless Network in Nuclear Power Plants While wireless technology brings convenience, the accompanying network security risks should also be considered simultaneously. The main security problems faced by wireless networks are: • Wireless intrusion: Because the wireless network uses radio waves as the transmission medium, the physical range of the network is difficult to control, and it can be spread to areas outside the expected location, making illegal intrusion an opportunity. • Improper device configuration: The user’s security awareness is weak. After the wireless device is enabled, the default configuration is not modified in time, and no security configuration such as encryption is performed.

66

D. Zhang and S.-Y. Liao

• Unauthorized AP (Access Point) access: Unauthorized APs can connect to the network without authorization, such as forged IP (Internet Protocol) or MAC (media access control) address attacks. • Advanced intrusion: The wireless network is a directly exposed boundary device. Once the wireless network device is invaded, a new intrusion can be initiated directly into the internal network through the device. • Wireless viruses: Wireless network viruses can destroy wireless devices and computer hosts in the wireless device network through the network. • Equipment backdoor: Wireless network equipment also contains software and systems, facing manufacturers or developers who keep program backdoors during the development process. Due to the particularity of wireless network equipment, these backdoors are more likely to be used to launch network attacks. Therefore, the application of wireless networks must be premised on proper network security protection.

3 Analyses of Wireless Network Security Regulations and Standards Different wireless technologies separately follow the technical requirements of standards, such as IEEE 802.11, IEEE 802.15 and other series of standards. These standards require the security of the wireless technology from protocol. This paper analyzes and compares the specific requirements of wireless technology from industrial and nuclear power network security standards, which are additional requirements on wireless for security. The main standards selected in this paper are GB/T22239, IEC62988, IEC62443, NIST-SP800-82 and NIST-SP800-94, required scope of the standards, see Table 1 for details [5, 7–10]. Wireless physical security, identity authentication, access control, boundary isolation, intrusion prevention, security audit, configuration management and data backup and recovery are mentioned. Table 1. Scope analysis of wireless security standards Items Physical security Identity authentication Access control Boundary isolation Intrusion prevention

GB/T22239 √

IEC62443 √

IEC62988 √

√

√

√

√

√

√

— √

√

NIST SP800-82 √

— —

— √

√

NIST SP800-94

— √

— — √

— √ (continued)

The Security Based on Wireless Network in Nuclear Power Plant

67

Table 1. (continued) Items Malicious code prevention

GB/T22239 √

IEC62443 √

√

Security audit Configuration management Data backup and recovery

IEC62988 √

— √ √

—

√

— —

NIST SP800-94

NIST SP800-82

—

—

—

— √

— —

—

—

Note: √ “ ” means the standard has the related requirement; “—” means the standard has no related requirement.

• GB/T 22239 is the basic requirement of domestic information system network security for information system. Among them, the expansion requirements of mobile internet and industrial control system stipulate the general requirements of wireless network security, which can cover the basic requirements of wireless network security. However, the underlying standards for wireless applications in the industrial field are not perfect, and detailed guidance is lacking. • IEC 62443 is a series of standards of industrial communication network security. Among them, the 2–4 sub-standards “Security program requirement for IACS service providers” stipulate the application scope and main protection points of wireless networks in industrial control systems, and emphasize wireless protocol should be compatible with the network of the industrial control system to ensure that wireless technology will not negatively affect the industrial control system. • IEC 62988 is a wireless selection and application requirement for nuclear power plant safety important instrumentation and control systems. It stipulates the application scope of wireless technology in different function classification instrumentation and control systems of nuclear power plants. It also provides wireless security requirements, such as isolation requirements between networks, wireless monitoring and logging requirements, etc. • NIST-SP800-94 is one of the standards of the American Institute of Standards and Technology for network security. It introduces the application principles, technical guidance, and product selection of intrusion detection and prevention systems (IDPS). From the perspective of security equipment, clear requirements for wireless network security. • NIST-SP800-82 is the guidance of the American Institute of Standards and Technology for industrial control system network security. It provides a brief provision on wireless network identity authentication, encryption methods and the relationship with industrial control systems. These standards consider the security of wireless networks. The application of wireless networks in nuclear power plants should comply with the requirements of IEC62988

68

D. Zhang and S.-Y. Liao

for the application scope, integrate the security considerations of various standards, and analyze and study the protection strategies that wireless networks should consider in the application of nuclear power plants.

4 Nuclear Power Plant Wireless Network Security Protection Strategy 4.1 Application Range of Wireless Network Due to the special consideration of wireless technology network security, its application in nuclear power plants should be limited to a specific range. From different perspectives, the application limitations of wireless networks are as follows: • From the perspective of business characteristics, the application of wireless communication technology is limited to non-production business and production business unrelated to safety [6]. • From the perspective of functional classification of nuclear power plants, the application of wireless communication technology is limited to the implementation of category C and NC class functions required by IEC61513, and is prohibited to perform the functions of category A and B. • From the perspective of the functional structure of the DCS system, wireless communication technology is limited to the data exchange between the layer 1 network and the layer 0 wireless instrument, layer 2 network and layer 3 network. 4.2 Wireless Network Security Protection Measures Nuclear power plant wireless network security should follow the defense strategy of defense-in-depth, and prevent and control from the perspective of basic protection, security detection, security audit, and security operation and maintenance. The prevention and control measures cannot cause unacceptable impact on the functional safety of the system. The protection strategy is shown in Fig. 1. Configuration management

Security operation and maintenance

Data backup and recovery

Object

Security audit

Security detection

Wireless

Intrusion detection Malicious code prevention

Mobile terminal

Mobile application

Physical security Identity authentication

Network audit Data audit Boundary isolation

Basic protection Access control

Fig. 1. The protection strategy of wireless network in nuclear power plant

The Security Based on Wireless Network in Nuclear Power Plant

69

(1) Object The objects of nuclear power plant wireless network security protection are mainly wireless network sites, switches and access points. In addition, we should also consider the security of wireless sensors, mobile terminals, and smart mobile applications connected to it to achieve comprehensive protection. (2) Basic protection Basic protection is the basic requirement for the network security of the protected objects, mainly including physical security, identity authentication, boundary isolation and access control. • Physical security: The positioning of wireless equipment is considered in combination with environmental conditions, power supply, grounding, and wireless power requirements; • Identity authentication: The wireless network should use a unique identity for authentication, and all messages should be authenticated; • Boundary isolation: Ensure that the access and data volume between the wired network and the wireless network boundary pass through the isolation device for boundary protection to prevent the wireless network risk from spreading to other networks that interface with it, especially high-security-level networks; • Access control: The wireless access device should enable the access authentication function, use a unique service setting identifier (SSID), and allow the device with the minimum IP and MAC address identification to access. (3) Security detection [11] Security detection requires detection and prevention of internal and external intrusions in wireless networks. • Intrusion detection: It should detect unauthorized wireless devices in the operating environment and report unauthorized access or interference with the system. • Malicious code prevention: Wireless network communication should be encrypted. (4) Security audit The wireless network should be equipped with audit equipment to record the data and network status of the wireless equipment. (5) Security operation and maintenance The configuration and management of wireless network equipment, as well as data backup and recovery after a network attack, should be considered from the perspective of operation and maintenance. • Configuration management: Establish wireless device library to identify illegal wireless access devices; the requirements, impacts and procedures of configuration changes should be clarified and can be implemented after strict approval.

70

D. Zhang and S.-Y. Liao

• Data backup and recovery: According to the needs of the business, the backup method, backup frequency, storage medium, and storage period should be specified. Establish data recovery procedures and clarify implementation methods and personnel responsibilities.

5 Summaries The application of wireless networks in the industrial field is at an exploratory stage and is currently mainly considered in the non-production business of nuclear power plants. But precisely because it is in its infancy, it should consider its network security risks as a whole and deploy network security measures to improve its business level while ensuring that network security risks are manageable. With the maturity of wireless technology and the improvement of security, it will also bring huge benefits to the production business of nuclear power plants [12]. Of course, this process requires the improvement of relevant standards and regulations and the exploration of technicians to work together to achieve the standardization and secure application of wireless networks in nuclear power plants.

References 1. Zeng, P., Xu, D.-K.: Applications of industrial wireless technologies in oil-gas industry. Technology of Industrial Wireless Communication (2008) 2. Fang, Y.-B.: Discussion of industrial wireless network engineering design. Automation in Petro-Chemical Industry (2012) 3. Fang, Y.-B.: Device types of industrial wireless network. Process Automation Instrumentation (2015) 4. Zeng, P.: Standardization and application of industrial wireless. China Instruments (2008) 5. GB/T 22239: Information security technology-baseline for classified protection of cybersecurity (2019) 6. IEC 62859: Requirement for coordinating safety and cybersecurity (2016) 7. IEC62988: Nuclear power plants-Instrumentation and control systems important to safetyselection and use of wireless devices (2018) 8. IEC62443: Security for industrial automation and control systems – part 2–4: security program requirements for IACS service providers (2017) 9. NIST-SP800-82: Guide to industrial control systems (ICS) security (2015) 10. NIST-SP800-94: Guide to intrusion detection and prevention system (IDPS) (2015) 11. Li, W.-Y., He, W.-X., Tan, B.: Research and practice of wireless security monitoring and protection. Cyberspace Security (2018) 12. Gao, H.-R.: The situation and future development of wireless industrial networks. China Instruments (2008)

Information Fusion Analysis of Cyberattack Identification Based on D-S Evidence Theory Chao Guo(B) , Jiang-Hai Li, Wen Si, and Xiao-Jin Huang Institute of Nuclear and New Energy Technology, Collaborative Innovation Center of Advanced Nuclear Energy Technology, Key Laboratory of Advanced Reactor Engineering and Safety of Ministry of Education, Tsinghua University, Beijing 10084, China [email protected]

Abstract. Cyberattack threats to nuclear power plants (NPPs) are becoming increasingly common and serious. Even if the digital instrumentation and control (I&C) systems have adopted preventive measures such as physical isolation, the risk of cyberattack is still unavoidable, which has significantly affected the safe and stable operation of the NPPs. Cyberattack identification of I&C systems is one of the most important steps in cyberattack assessment. As the network structure and system functions of the I&C system become more and more complex, the attack methods are also more and more diversified. The cyberattack identification by a single information source is difficult to identify various types of cyberattacks. It is necessary to integrate information from multiple sources through information fusion methods to obtain more comprehensive and reliable cyberattack identification. The paper uses the D-S evidence theory to integrate data from different sources, including both cyber and physical spaces. The Dempster’s rule of combination is used to synthesize the basic probability distribution of each evidence, and the attack type identification is also performed. Three typical types of cyberattacks, including denial of service, packet injection, and feedback spoofing, together with normal operation status are identified in this paper. To obtain the basic probability assignment (BPA) of each attribute, the triangular fuzzy number method is adopted. The experimental results show that the method adopted in this paper can effectively fuse the information from both cyber and physical spaces, and can accurately identify the four categories cyberattacks. Keywords: Cyberattack identification · Information fusion · D-S evidence theory · Nuclear power plant · Digital instrumentation and control system

1 Introduction The control and operation of nuclear power plants (NPPs) is increasingly dependent on digital Instrumentation and Control (I&C) systems [1]. Compared with traditional analogue ones, digital instrumentation and control (I&C) systems have greatly improved in terms of equipment volume, sampling precision, computing capability, and humanmachine interface friendliness [2]. However, it also brought a series of threatens to the NPPs: on the one hand, the functions of signal acquisition, logic calculation, and © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 71–83, 2021. https://doi.org/10.1007/978-981-16-3456-7_9

72

C. Guo et al.

motion output of the digital I&C systems depend on the computer software of the system platform, therefore, software failure can directly cause the failure of the I&C system; on the other hand, various devices of the digital I&C system rely on network communication for command and information transfer. Computer software and network communication have become the breakthroughs in cyberattacks [3]. Even if the I&C system adopts preventive measures such as physical isolation, the risk of cyberattack is still unavoidable. With the development of attack technologies, the NPPs are facing increasing cybersecurity risks. These risks include the theft of information, the malicious modification of data, the illegal access of control, etc. [4]. At present, the international community has disclosed several cyberattacks on nuclear facilities, and the cybersecurity issue has received growing attention from the regulatory authority, design institutes, development agencies, and the stakeholders. As one of the most important monitoring and control systems in the entire plant, distributed control system (DCS) are essential for the safe and stable operation of NPP. DCS’s devices are connected into multiple networks of different levels through communication. This complex architecture also makes it a major target for cyberattacks [5]. Cyberattack identification of I&C systems is the first step in cyberattack assessment. Different types of attacks have different impact ranges, urgency, consequences, and countermeasures. Therefore, cyberattack identification is also the basis and premise for correct and real-time attack response. As the network structure and system functions of the I&C system become more and more complex, the attack methods are also more and more diversified, and the representation of the attack is usually reflected in multiple aspects, which increases the difficulty of cyberattack identification [6]. The attack identification by a single information source is difficult to identify various types of cyberattacks. It is necessary to integrate information from multiple sources through information fusion to obtain more comprehensive and reliable cyberattack identification. The Dempster-Shafer (D-S) evidence theory is proposed by Dempster and Shafer in 1967 and 1976 separately and it can be used for uncertainty information processing and fusion in the fields of expert systems, target recognition, artificial intelligence, decision-making, and risk analysis [7, 8]. This paper uses D-S evidence theory to integrate data for cyberattack identification. These data are collected from the cybersecurity testbed, which contains HMI, PLC, switch, and the cyberattack sever and data of both cyber and physical spaces are collected. The Dempster’s rule of combination is used to synthesize the basic probability distributions of each evidence, and the attack type identification is performed. We select three typical types of cyberattacks together with normal working status as the categories to be identified, and the triangular fuzzy number method is adopted to obtain the basic probability assignment (BPA) of each attribute. In the follow-up content, Sect. 2 presents the theoretical foundations of D-S evidence theory. The testbed and the types of cyberattacks we worked on are introduced in Sect. 3. In Sect. 4, the experimental results are discussed. The conclusions are summarized in Sect. 5.

Information Fusion Analysis of Cyberattack Identification

73

2 Theoretical Foundations 2.1 Basic Concepts D-S evidence theory is considered to be a general extension of Bayesian theory, which expands the basic event space in probability theory into a power set space for basic events, and establishes a basic probability assignment function on it. Let  = [θ1 , θ2 , · · · θN ] be a finite complete set consisting of multiple mutually exclusive elements, which is also called frame of discernment. Here θ1 , θ2 , · · · θN means all possible states of a system under consideration. Then the power set of  is defined as 2 = {∅, θ1 , θ2 , · · · , θN , θ1 ∪ θ2 , · · · , θ1 ∪ θ2 ∪ θ3 , · · · , }

(1)

∀A ⊆ , if the function m : 2 → [0, 1] meets the following two conditions: m(∅) = 0 

(2)

m(A) = 1

(3)

A⊆

m is called a basic probability assignment (BPA), also called mass function, where m(A) is the basic support degree of evidence m to proposition A. If m(A) > 0, A is called the focal element of m and the set of all focal elements forms the core of this BPA. The belief function and the plausible function can be defined separately as  Bel(A) = m(B), A ∈ 2 (4) B⊆A

   m(B) Pl(A) = 1 − Bel A¯ =

(5)

B∩A =∅

Here Bel(A) means the true possibility of A, and Pl(A) means the unsuspicious possibility of A. The relationship of Bel(A), m(A), and Pl(A) is expressed as Bel(A) ≤ m(A) ≤ Pl(A), ∀A ⊆ 

(6)

which means that Bel(A) and Pl(A) indicate the lower and upper limits of the support for proposition A, respectively. 2.2 Dempster’s Rule of Combination To combine information from multiple independent information sources, D-S evidence theory provides this combination rule to achieve the fusion of multiple evidences, and its essence is the orthogonal sum of evidences.

74

C. Guo et al.

Let m1 and m2 be two groups of BPA, the corresponding focal elements are A1 , A2 , …, Ak , and B1 , B2 , …, Bj , respectively. Let m represent new evidence after combining m1 and m2 . Dempster’s rule of combination is expressed as ⎧ ⎨ m(∅) = 0    1 (7) m1 (Ai )m2 Bj ⎩ m(A) = 1−k Ai ∩Bj =A



Here k = Ai ∩Bj =∅ m1 (Ai )m2 (Bj ) is called conflict coefficient, which is used to measure the degree of conflict between evidence focal units. Larger k means a greater conflict [9]. 2.3 Triangular Fuzzy Number How to generate BPA reasonably is a key issue in the practical application of D-S evidence theory. In this paper, a BPA generation method based on triangular fuzzy number is adopted. Let U be a universe and μA˜ is a function that maps any element x ∈ U to a closed interval [0, 1], this is μA˜ : U → [0, 1], x → μA˜ (x)

(8)

Then the set A˜ determined by this function is called a fuzzy set on the universe U, which is called a fuzzy set for short. μA˜ is called the membership function of fuzzy set ˜ and μ ˜ (x) is the membership of element x to fuzzy set A. ˜ A, A If the membership function of fuzzy number A is defined as ⎧ ⎪ 0, xc The fuzzy number A is called a triangular fuzzy number. When ω = 1, A is called a regular triangular fuzzy number and it is written as A = (a, b, c; 1). When 0 < ω < 1, A is called a generalized triangular fuzzy number and it is written as A = (a, b, c; ω). 2.4 BPA Generation Method Based on Triangular Fuzzy Number This paper uses a method of generating BPA based on triangular fuzzy numbers proposed by [10]. Figure 1 shows the frame of the decision-making process by multiply attributes with triangular fuzzy numbers. Step 1: training and test data generation. The raw data set is divided into two parts: training data set and test data set. The training data set is used to build a membership distribution model or attribute model. The test data set is used to verify the correctness of the model.

Information Fusion Analysis of Cyberattack Identification

75

Fig. 1. Multi-attribute decision-making process of BPA generation framework based on triangular fuzzy numbers.

Suppose there are a total of ω samples in the original raw data set, and these samples belong to n categories and constitute a frame of discernment  = [θ1 , θ2 , · · · θn ]. Each sample contains k attributes. First, in the raw data set, m samples are randomly selected from the category i as training samples, and the remaining samples are used as test − → samples. Construct a k-dimensional vector ti to represent a certain training sample  − →

ti = xi1 , xi2 , · · · , xij , · · · xik (10) where x ij represents the value of a sample in category i on attribute j, i = 1, 2, …, n, j = 1, 2, …, k.

76

C. Guo et al.

Furthermore, a matrix T i can be constructed, which contains all training samples belonging to category i: ⎡

1 xi1 ⎢ x2 ⎢ i1 ⎢ .

− T ⎢ . → − → − → − → ⎢ . p 1 2 m =⎢ p Ti = ti , ti , · · · , ti , · · · , ti ⎢ xi1 ⎢ ⎢ .. ⎣ . m xi1

1 xi2 2 xi2 .. . p xi2 .. . m xi2

1 ⎤ · · · xij1 · · · xik 2 ⎥ · · · xij2 · · · xik ⎥ .. .. ⎥ ⎥ . . ⎥ p p ⎥ · · · xij · · · xik ⎥ ⎥ .. .. ⎥ . . ⎦ m m · · · xij · · · xik

(11)

p

where xij represents the value of the p-th training sample in category i on the attribute j, i = 1, 2, …, n, j = 1, 2, …, k, p = 1, 2, …, m. Step 2: triangular fuzzy number model construction. For category i and attribute j to be determined, calculate the minimum value aij , average value bij and maximum value cij of all samples belonging to category i on the j-th attribute: ⎧ ⎪ ⎨ aij = min(Ti (:, j))  Ti (:,j) (12) bij = Ti (:, j) = ⎪ ⎩ c = max(T (:, j)) m ij i where i = 1, 2, …, n, j = 1, 2, …, k. Based on the three attribute values of minimum, average, and maximum values, a triangular fuzzy number model can be established to describe the membership distribution of the training sample on each attribute. Step 3: matching test samples with triangular fuzzy number models to generate BPA. Suppose G is a certain proposition under the frame of discernment, and t is the characteristic value of a test sample on an attribute. The degree of matching between the test sample and the proposition G is defined as H (G ← t) = μG (x)|x=t

(13)

The value of H (G ← t) reflects how well the test sample matches the proposition G. When using triangle fuzzy number model for calculation, the higher the battle between the test sample t and the triangular fuzzy number model corresponding to the proposition G, the greater the possibility that it belongs to the proposition G. Step 4: generate BPA using Dempster’s rule of combination for information fusion and make decisions based on the fusion result.

3 Testbed and Cyberattack Types Description A cooling water supply control system is developed for process control simulation, human-machine interface (HMI) monitoring, cyberattack simulation and attack data extraction [11]. The topology of corresponding industrial control system (ICS) security box is shown in Fig. 2. The cooling water supply control system is composed of three

Information Fusion Analysis of Cyberattack Identification

77

major parts: an HMI, a PLC (Programmable Logic Controller), and a network switch. The HMI shows the flow chart of the cooling water supply control system, the status of a pump and a valve, and real-time water level information obtained through communication with PLC. The system has two working modes: manual or automatic. In manual mode, the operator can manually switch the pump and valve on and off. If the operator changes the mode to automatic mode on the HMI, the PLC will automatically run the pump and valve, and perform the draining and filling operations at a certain water level interval cyclically.

Fig. 2. Topology of the security box for the industrial control system.

A cyberattack server is also connected to this cooling water supply control system through the switch. This paper assumes that the cyberattack server can implement three types of attacks: denial of service (DoS), packet injection, and feedback spoofing. These three types of cyberattacks are typical representatives of three levels of attacks: a) DoS The attacker sends fake ARP packets to the HMI and PLC, causing the HMI to lose connection with the PLC, and the HMI denies service. The attackers only need to master common network attack methods to realize such kind of attack. For the cooling water supply control system, HMI denial of service will cause normal production cannot be performed, and manual intervention is required to return to normal. b) Packet injection There may be some security risks in industrial control protocols, such as allowing unauthorized access. Attackers can use these risks to simulate normal operations on the controller, such as operating the controller to start or stop, to implement cyberattacks. Once the controller is abnormally started or stopped, it may cause severe or even fatal damage to the industrial environment. Compared to DoS attack, this type of cyberattack requires higher requirements on the attackers, which requires the attackers to have a certain industrial control foundation.

78

C. Guo et al.

c) Feedback spoofing If the communication protocol between HMI and PLC does not have any identity authentication process, all data packets can be monitored, modified and forged by middlemen. An attacker could exploit this vulnerability to modify the data package through a man-in-the-middle method, so that normal data is displayed on the HMI, while the PLC may actually be in an abnormal state at this time. Because the attacker tampered with the data between the HMI and the PLC, the HMI information was spurious, while the user could not find the problem. This type of attack has the highest requirements on the attacker: to perform this attack, the attacker needs to be very familiar with the actual process of the attacked system. In our security box for the ICS, a PC is connected to the switch for auditing the system. Through the port mirroring function of the switch, it can monitor the communication data of any port in the system without affecting the normal communication of the system to carry out the subsequent research work in this paper. The photo of the developed security box is shown in Fig. 3.

Fig. 3. Photo of the developed security box.

4 Experimental Results and Analysis In this section, we will introduce and analyze the test results we conducted on our security box of ICS in accordance with the decision-making steps described in Sect. 2.4. 4.1 Training and Test Data Generation The cooling water supply control system is set to automatic mode through the HMI before the cyberattack experiment. In this mode, the PLC automatically performs water filling and draining operations: when the water level is lower than 1m, the drain valve is

Information Fusion Analysis of Cyberattack Identification

79

closed, and the pump is opened to perform the water filling operation; when the water level is higher than 9 m, the pump is closed, and the drain valve is opened to perform the drainage operation. Under normal circumstances, the water level in the water tank continuously circulates from 1 m to 9 m. The high alarm setting value of the water level is 8 m, and the low alarm setting value is 2 m. When it exceeds the above range, the HMI will display an alarm message. We sample the communication data of the HMI under three types of attacks mentioned in Sect. 3 together with normal working condition. Then the categories studies in this paper include: 1) Normal (Norm); 2) DoS; 3) Packet injection (PI); 4) Feedback spoofing (FS). The attributes of samples we selected are: a) Total length of packets received and sent by the HMI port per unit time; b) Change in water level of the water tank received by the HMI per unit time. Since the above attributes belong to the cyber and physical spaces, respectively, we will refer them to Attributes CS (cyber space) and PS (physical space) for short. The attributes CS and PS may be affected by different attacks, and different attacks affect them in different ways. For example, in the case of a DoS attack, the communication between the HMI and the PLC will be affected, and the water level change information received by the HMI will be less than normal, which can be used to help identify the type of the attack. In the experiment, for each category, we randomly collected 32 sets of data, and the duration of each set of data was 10s. 30 sets of data are used for model training, and the remaining 2 sets of data are used to test the correctness of the model. 4.2 Triangular Fuzzy Number Model Construction The minimum, average, and maximum values of two attributes for four categories are shown in Table 1. The corresponding triangular fuzzy models are illustrated in Fig. 4 and Fig. 5, respectively. Table 1. Values of triangular fuzzy numbers of two attributes for four categories. Categories

CS (cyber space)/byte

PS (physical space)/times

Minimum

Average

Maximum

Minimum

Average

Maximum

Norm

42279

49063.2

54672

99

99.8

100

DoS

40885

42314.0

46379

63

69.5

83

PI

40522

44405.8

68058

0

0

0

FS

40885

41348.8

43199

33

76.0

101

80

C. Guo et al. Triangular fuzzy model of Attribute CS

1

Norm DoS PI

0.8

FS

Membership

0.6

0.4

0.2

0 4

5

4.5

5.5

6

7

6.5

Total length of packets per 10s /byte

10

4

Fig. 4. Triangular fuzzy model of Attribute CS. Triangular fuzzy model of Attribute PS

1

Norm

0.9

DoS PI

0.8

FS 0.7

Membership

0.6 0.5 0.4 0.3 0.2 0.1 0 -20

0

20

40

60

80

100

120

Change in water level per 10s /times

Fig. 5. Triangular fuzzy model of Attribute PS.

4.3 Test Samples Matching and BPA Generation For each category, we have additionally collected two sets of data for method verification. The attribute information of these 8 sets of test data is shown in Table 2. Take the data of Group 1 in Category DoS as an example. We match it with the triangular fuzzy number models CS and PS in Fig. 4 and Fig. 5, as shown in Fig. 6 and Fig. 7, respectively.

Information Fusion Analysis of Cyberattack Identification Table 2. Attribute values of test sets in four categories. Categories Group 1

Group 2

CS/byte PS/times CS/byte PS/times Norm

48647

100

48919

100

DoS

43177

75

42567

79

PI

64416

0

43536

0

FS

41383

36

40945

99

Triangular fuzzy model of Attribute CS

1

Norm DoS 0.8

PI

0.7877

FS Test data

0.6836 Membership

0.6

0.4

0.2

0.1324 0.0119

0 4

5

4.5

5.5

6

7

6.5

Total length of packets per 10s /byte

10

4

Fig. 6. Test data matching with triangular fuzzy model of attribute CS. Triangular fuzzy model of Attribute PS

1

0.9775

Norm

0.9

DoS PI

0.8

FS Test data

0.7

Membership

0.6

0.5926

0.5 0.4 0.3 0.2 0.1 0 -20

0

20

40

60

80

100

120

Change in water level per 10s /times

Fig. 7. Test data matching with triangular fuzzy model of attribute PS.

81

82

C. Guo et al.

After normalization, the BPA of the test sample on the two attributes CS and PS are shown below: mCS : mCS (DoS) = 0.4876, mCS (DoS, PI) = 0.4231, mCS (Norm, DoS, PI) = 0.0819, mCS (Norm, DoS, PI, FS) = 0.0074 mPS : mPS (FS) = 0.6226, mPS (DoS, FS) = 0.3774. 4.4 BPA Fusion Using Dempster’s Rule of Combination Using the Dempster’s rule of combination to fuse the BPA on these two attributes, the final BPA of the test sample is. m(DoS) = 0.9807. m(FS) = 0.0120. m(DoS, FS) = 0.0073. Using the focal element with the highest BPA value as the decision result, and the cyberattack type corresponding to this sample is DoS, so the prediction result is correct. The above calculations for the other 7 groups of test data also obtained the correct prediction results of the cyberattack type, which illustrates the correctness and effectiveness of our cyberattack identification method.

5 Conclusions Cyberattack threats to nuclear power plants are becoming increasingly common and serious. Even if the digital I&C systems have adopted preventive measures such as physical isolation, the risk of cyberattack is still unavoidable. Cyberattack identification of I&C systems is one of the most important steps in cyberattack assessment. As the network structure and system functions of the I&C system become more and more complex, the attack identification by a single information source is difficult to identify various types of cyberattacks. It is necessary to integrate information from multiple sources through information fusion to obtain more comprehensive and reliable cyberattack identification. The paper uses the D-S evidence theory to integrate data from both cyber and physical spaces. The Dempster’s rule of combination is used to synthesize the basic probability distribution of each evidence, and the attack type identification is also completed. Three typical types of cyberattacks, including denial of service, packet injection, and feedback spoofing, together with normal operation status are identified in this paper. To obtain the basic probability assignment (BPA) of each attribute, the triangular fuzzy number method is adopted. The experimental results show that the method proposed in this paper can effectively fuse the information from both cyber and physical spaces, and can accurately identify the four categories cyberattacks, which is feasible for cyberattack identification. Acknowledgements. This research was supported by National Natural Science Foundation of China (Grant No. 71801141), LingChuang Research Project of China National Nuclear Corporation, and National Science and Technology Major Project of China (Grant No. ZX069).

Information Fusion Analysis of Cyberattack Identification

83

References 1. Li, F., Yang, Z., An, Z., Zhang, L.: The first digital reactor protection system in China. Nucl. Eng. Des. 218, 215–225 (2002) 2. Li, D., Xiong, H., Guo, C.: Design and development of HTR-PM reactor protection system. In: 21st International Conference on Nuclear Engineering (Proc. Int. Conf. Nucl. Eng., Chengdu, China), pp. 1–7. American Society of Mechanical Engineers, USA (2013) 3. Cho, H.S., Woo, T.H.: Cyber security in nuclear industry – analytic study from the terror incident in nuclear power plants (NPPs). Ann. Nucl. Energy 99, 47–53 (2017) 4. Kim, D.Y.: Cyber security issues imposed on nuclear power plants. Ann. Nucl. Energy 65, 141–143 (2014) 5. Yang, A., Li, J., Bian, Y., Wang, X.: The cyber security evaluation of China’s nuclear power plant DCS system. In: 20th Pacific Basin Nuclear Conference (Proc. 20th Pacific Basin Nucl. Conf., Beijing, China), pp. 689–700. Springer, Singapore (2017) 6. Si, W., Li, J., Huang, X.: Attack identification in I&C systems based on physical data. In: 27th International Conference on Nuclear Engineering (Proc. 27th Int. Conf. Nucl. Eng., Tsukuba, Japan), pp. 1–6. Japan Society of Mechanical Engineers, Japan (2019) 7. Zhang, Y., Huang, S., Guo, S., Zhu, J.: Multi-sensor data fusion for cyber security situation awareness. Procedia Environ. Sci. 10, 1029–1034 (2011) 8. Wu, X., Wang, D., Cao, W., Ding, M.: A genetic-algorithm support vector machine and D-S evidence theory based fault diagnostic model for transmission line. IEEE Trans. Power Syst. 34(6), 4186–4197 (2019) 9. Ye, F., Chen, J., Li, Y.: Improvement of DS evidence theory for multi-sensor conflicting information. Symmetry 9(69), 1–15 (2017) 10. Jiang, W., Deng, X.: Information Modelling and Application of D-S Evidence Theory. Science Press, Beijing (2018) 11. Si, W., Li, J., Huang, X.: One-class anomaly detection for instrumentation and control systems based on replicator neural networks. In: 11th Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies (Proc. 27th Nucl. Plant Instrum., Control, Hum.Mach. Interf. Technol., Orlando, USA), pp. 1361–1369. American Nuclear Society, USA (2019)

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR) Ao-Di Sun and Xin-Yu Wei(B) Shaanxi Key Laboratory of Advanced Nuclear Energy and Technology, and Shaanxi Engineering Research Center of Advanced Nuclear Energy, Xi’an Jiaotong university, Xi’an 710049, China [email protected]

Abstract. With the development of nuclear technology, the existing fissile nuclides can not meet the long-term needs of human beings. The development of fast neutron reactor using fissionable nuclides is the trend of nuclear energy development. Small modular Pb-Bi Fast Reactor (SMPBR) is a fast neutron reactor with liquid Lead Bismuth Eutectic (LBE) as coolant. In order to become a competitive reactor, SMPBR is usually characterized by high power density, strong load following ability and convenient transportation. Due to the current lack of relevant experience of lead-bismuth fast reactors in China, there are certain difficulties in the design of lead-bismuth fast reactors and the design of control systems. So in this work, the control system for the SMPBR is based on the sodium-cooled fast reactor. Firstly, the influence of control rod, inlet flowrate and inlet temperature is studied by single variable method respectively. Secondly, according to the relationship between the parameters, the control system of regulating power of moving control rods and not moving control rods is designed. Then, a robust PI controller is designed according to the dynamic characteristics of reactor. Combining the influence of control rods and flow on power and power to design controllers with different operating schemes. Keywords: Small modular Pb-Bi Fast Reactor · Control system · Flowrate

1 Introduction With the development of industry and the depletion of fossil energy, people urgently need to seek new sustainable energy. Nuclear energy is a kind of clean and sustainable energy. At present, our nuclear energy mainly comes from fissile nuclides. However, there are few fissile nuclides on the earth, so only reasonable use of fissionable nuclides can solve the energy problem [1, 2]. Fast neutron reactor is a chain fission reaction which takes place by using fast neutrons. Its obvious characteristic is that it can use fissionable nuclides. At the same time, fast neutron reactors also have good safety [3]. The control system is the basic guarantee for the operation of nuclear power, so it is necessary to study the control system of fast reactor. The current power control method is mainly to adjust the power by controlling the movement of the control rod [4, 5]. However, from the perspective of nuclear power plant © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 84–96, 2021. https://doi.org/10.1007/978-981-16-3456-7_10

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

85

safety, power control should respond to different equipment failures through multiple control methods. Therefore, it is necessary to study the power adjustment method outside the control rod. Previously, some literature pointed out that it is feasible to control highpower sodium-cooled fast reactors by means of flow regulation, and that small-lead bismuth fast reactors have advantages over sodium-cooled fast reactors by way of flow regulation [6, 7]. Therefore this paper studies and compares the effect of control rods and flow rate on power, and studies the effect of inlet temperature changes on the primary circuit. Because China lacks experience with lead-bismuth fast reactors, this article uses the study of sodium-cooled fast reactor control system as a reference for the subsequent design of lead-bismuth fast reactor.

2 Model and Methods The primary circuit of the lead-bismuth fast reactor and the sodium-cooled fast reactor are similar in structure, and both include the core, hot pool, cold pool, and steam generator as shown in Fig. 1.

Fig. 1. Primary loop model

2.1 Point Reactor Kinetis Equations The core uses a point reactor equation with six groups of delayed neutrons, as shown below [8]:  dn(t) ρ(t) − β λi Ci (t) = n(t) + dt 

(1)

dCi (t) βi = n(t) − λi Ci (t), i = 1 ∼ 6 dt 

(2)

6

i=1

86

A.-D. Sun and X.-Y. Wei

β=

6 

βi

(3)

i=1

where, n(t) — neutron density/neutron number·m-3; ρ(t) — total reactivity in the core/dk·k-1; C i (t) — delayed neutron precursor concentration of group i/m-3; λi — precursor decay constant of group i/s; β i — delayed neutron share of group i/%; Λ — neutron generation time/s. 2.2 Thermal Dynamic Model According to energy conservation, the dynamic heat transfer equation of fuel coolant is as follows [9]: dTf ff P0  = Nr − (Tf − Tm ) dt μf μf

(4)

(1 − ff )P0 dTm  2 = Nr + (Tf − Tm ) + (Tin − Tm ) dt μc μc τc

(5)

(1 − ff )P0 dTout  2 = Nr + (Tf − Tm ) + (Tm − Tout ) dt μc μc τc

(6)

where, T f — average temperature of fuel/°C; T m — average temperature of coolant/°C; T in — inlet temperature of coolant/°C; T out — outlet temperature of coolant/°C; f f — thermal coefficient of fuel; P0 — full power/W; μf — thermal capacity of fuel/J °C−1 , μf = mf C p,f ; µc — thermal capacity of coolant/J °C−1 , μc = mc ·C p,c ; C p,f and C p,c — constant pressure specific heat capacity of fuel and coolant/J kg−1 °C−1 ; Ω — heat transfer coefficient between fuel and coolant/W °C−1 ; τ c — delay time/s τ c = μc /(W p C p,c ); W p — flow rate of coolant/kg s−1 . 2.3 Hot and Cold Pool After the coolant flows out of the core, it exchanges heat with the steam generator through the hot pool, and the cooled flows into the core through the cold pool to complete the circulation. To simplify the simulation, the following assumptions are made: (1) The coolant is fully mixed in the hot and cold pool, that is, the outlet temperature is equal to the average temperature of the hot and cold pool; (2) The hot and cold pool are insulated. According to energy conservation, the energy equation of hot and cold pool as follows: dThot (t) Fhot = (Thot,in − Thot (t)) dt Vhot

(7)

Fcold dTcold (t) = (Tcold ,in − Tcold (t)) dt Vcold

(8)

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

87

where: T hot (t), T cold (t) — outlet temperature of hot and cold front pool/°C; T hot,in (t), T cold,in (t) — inlet temperature of hot and cold lead bismuth pool/°C; F hot ,F cold — volume flow of hot and cold lead bismuth pool/m3 s−1 ; V hot ,V cold — effective capacity of hot and cold lead bismuth pool/m3 . 2.4 Reactivity There are many factors affecting the reactivity of the reactor. This paper considers five main factors: the reactivity introduced by the control rod, the Doppler effect of the fuel, the effect of the coolant density, the axial expansion of the core, and the radial expansion of the core. Fuel’s Doppler effect, coolant density effect, core axial expansion and core radial expansion can be expressed by the following equations: ρDoppler = ρf ,T = αf ln(Tf /Tf ,0 )

(9)

where, T f,0 — fuel temperature at initial time/°C. ρc,t = 0.5αc,t (Tm − Tm,0 ) + 0.5αc,t (Tout − Tout,0 )

(10)

where, T m,0 — average temperature of coolant at initial test time/°C; T out,0 — outlet temperature of coolant at initial test time/°C. ρa = =

 Tm Tm,0

dρ =

 Tm

2

Tm,0

a · αa · z02 · ez0 (1+α·Tm ) · (1 + α · Tm )dT

a·z02 ·ez0 (1+αa ·Tm )2 e 2

2

2

−

a·z02 ·ez0 2

2

e(1+αa ·Tm,0 )

2

(11)

where: t 0 — initial time/s. ρr = αr · (Tm − Tm,0 )

(12)

Connect the above models according to the relationship in Fig. 1, where the steam generator module is simplified using boundary conditions.

3 Results and Discussion The PID controller has a simple structure and is easy to implement. It is widely used in industrial production. This paper uses a PI controller to control the movement of the control rod and the opening of the main pump because there is no large delay. Verification of steady-state parameters selecting a sodium-cooled fast reactor with a thermal power of 65 MW. Introduce step reactivity to study the characteristics of the control rod when controlling power. At 200 s, +50 pcm were introduced, the change of reactivity as shown in Fig. 2. When the step reactivity is introduced, the reactivity increases and the power increases. When the change of power is detected, the control rod moves to introduce

88

A.-D. Sun and X.-Y. Wei

negative reactivity, the total reactivity decreases rapidly and the power decreases. The power change after introducing step reactivity is shown in Fig. 3. Figure 4 shows the change of reactivity from 100% power step to 90% FP. Firstly, the negative reactivity is introduced into the control rod movement, and the power decreases. At this time, k eff less than 1 and the core is in subcritical state. Then, the temperature of fuel and coolant decrease and the introduction of positive reactive power recovery, k eff gradually increased to 1, and the system reached a new balance.

Fig. 2. Total reactivity change when +50 pcm step is introduced.

Fig. 3. Power change when +50 pcm step is introduced.

Figure 4 shows the change of reactivity from 100% power step to 90% FP. Firstly, the negative reactivity is introduced into the control rod movement, and the power decreases. At this time, k eff less than 1 and the core is in subcritical state. Then, the temperature of fuel and coolant decrease and the introduction of positive reactive power recovery, k eff gradually increased to 1, and the system reached a new balance. Figure 5 shows the power changes from 100% power step down to 90% FP, 80% FP, 70% FP, 60% FP and 50% FP respectively. It can be seen from the Fig. 5 that the control system can have good control effect in a large power range.

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

89

Fig. 4. Reactivity change when power from full power step decrease to 90%FP.

Fig. 5. Power change when power step decrease.

3.1 Adjust Power by the Coolant Flow Rate The change of coolant flow will affect the core temperature, thus introducing reactivity to adjust the power. That is, the power can be adjusted by introducing reactivity through coolant flow changes without moving the control rods. Figure 6 shows the change of reactivity when +50 pcm reactivity is introduced. It can be seen from the figure that when the reactivity step increases, the coolant flow will decrease, the coolant temperature will increase to introduce negative reactivity, the power will decrease, the fuel temperature will increase, the Doppler effect will introduce

90

A.-D. Sun and X.-Y. Wei

negative reactivity, the final total reactivity is 0, and the system will be stable at a new point. Figure 7 shows the power change after reactive step disturbance. It can be seen from the Fig. 7 that the power increases after the introduction of reactivity, and then the flow rate decrease, the negative reactivity is introduced due to the increase of coolant temperature. Finally, the power down to original level.

Fig. 6. Reactivity change when + 50 pcm step is introduce.

Fig. 7. Power change when + 50 pcm step is introduce. (right)

In order to verify the effectiveness of adjusting the flow in a large power range, Fig. 8 shows the power change when the power is reduced to 90%, 80%, 70%, 60%, 50% by controlling the flow rate. As can be seen from the Fig. 8, it is feasible to adjust the power by controlling the coolant flow as well as the control rod adjustment. Figure 9 shows the flow rate curves at different power levels. It can be seen from the Fig. 9 that when the power level drops to 50% FP, the flow needs to drop to 45% of the flow at full load, and when the power needs to continue to drop, the flow still needs to drop. Because of the safety design of fast reactor, the coolant usually has good natural circulation ability, so the influence of natural circulation needs

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

91

to be considered when the flow is too small, so the current model still needs to be further improved. Figure 10 shows the reactivity at different power levels. It can be seen from the figure that when the coolant flow decreases, the increase of coolant temperature introduces negative reactivity and the decrease of power. With the decrease of fuel temperature, the temperature difference between fuel and coolant decreases, and the heat exchange decreases. The decrease of fuel temperature leads to positive reactivity, while the increase of coolant temperature leads to negative reactivity. At the same time, due to the increase of coolant temperature, the average temperature of core rises, and the core expands to introduce negative reactivity.

Fig. 8. Power adjustment by adjusting the coolant flow rate.

Fig. 9. Flow rate adjustment.

As can be seen in Fig. 10, the Doppler effect of fuel and the density effect of coolant are the most obvious. However, almost all of the reactivity coefficients are related to

92

A.-D. Sun and X.-Y. Wei

the structural parameters, so the design parameters can be used to adjust the reactivity coefficients when the flow rate is adjusted by the reactivity feedback. By selecting different materials of reflector and supporting structure to adjust the reactivity coefficient, the power can be controlled by controlling the flow rate.

Fig. 10. Reactivity at different power levels

Generally, it is more difficult to achieve negative temperature reactivity feedback for a sodium-cooled metallic fuel large fast reactor than it is for other types of fast reactors proposed so far such as an LBE-cooled reactor with small core and nitride fuel [6]. So it is easier for miniaturized lead-bismuth fast reactor to control power through coolant flow rate. There are advantages to flow rate control: 1) Add new power regulation methods to improve reactor safety; 2) For small lead-bismuth fast reactors, it can assume part of the control rod function, thereby simplifying the control rod system and providing assistance for miniaturization and centralization. 3.2 Influence of Core Inlet Temperature on the Primary Circuit At present, China lacks experience with small lead-bismuth fast reactors, so the control system of lead-bismuth fast reactors is based on sodium-cooled fast reactors. In order to design a more flexible load variation that is more suitable for small lead-bismuth fast reactors, it is necessary to study the dynamic characteristics of the primary circuit. In this section, the influence of the parameters of the steam generator on the primary circuit is studied through the change of the primary circuit inlet temperature. Figure 11 shows the change of reactivity when the inlet temperature of the primary circuit rises 5 °C with no control system. After the temperature of the primary circuit

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

93

outlet of the steam generator step rises 5 °C, the core temperature rises, introducing negative reactivity. Without the control of the control system, the power decreases, the core outlet temperature decreases, and positive reactivity is introduced. However, as the inlet temperature increases, the increase in the temperature of the coolant node 1 introduces negative reactivity. The average core temperature increases, the core expansion introduces negative reactivity, and the total reactivity decreases first and then increases. Power continues to drop and stabilizes at a new power level as shows in Fig. 12. The presence of cold pools plays a buffering role, but at the same time the delay time increases.

Fig. 11. Reactivity change when temperature step rises 5 °C.

Figure 13 shows the change of reactivity after a 5 °C step in the inlet temperature after the power level is controlled using the regulated flow method. It can be seen from the figure that when the inlet temperature rises, and the increase in the temperature of the coolant node 1 introduces negative reactivity so the power decreases as in the Fig. 14, the coolant flow rate increases after the control system detects as in the Fig. 15. However, as the flow rate increases, the outlet temperature decreases to introduce positive reactivity. Because the cold pool acts as a buffer, the power changes slowly, the power remains almost unchanged under the control of the system. But there is a significant increase in the adjustment time due to the cold pool. The system rebalances when the temperature of cold pool increase to the temperature of SG outlet. The inlet temperature of core increases, the power does not change, the way of increasing the flow rate leads to the fuel temperature hardly changes, as shown in Fig. 13, the Doppler effect has almost no reactivity introduced, ensuring the safety of the fuel.

94

A.-D. Sun and X.-Y. Wei

Fig. 12. Power change when temperature step rises 5 °C.

Fig. 13. Reactivity change when inlet temperature step rises 5 °C.

In summary, it is feasible to control the power by controlling the flow. Flow regulation takes advantage of the reactor’s reactive feedback, so the feedback factor is critical. Fortunately, these parameters can be adjusted by design, including the geometry of the reactor, the choice of materials, and so on. Therefore, the control system can provide reference indicators for the design of the reactor as well as the process design. The cold pool can buffer the parameters of the steam generator and increase the delay time. The selection of cold pool capacity can be designed in conjunction with the operation scheme, and the control system can also provide a control scheme by combining control rod movement and flow adjustment.

Power Control System of Small Modular PB-Bi Fast Reactor (SMPBR)

95

Fig. 14. Power change when inlet temperature step rises 5 °C.

Fig. 15. Flow change with time

In summary, it is feasible to control the power by controlling the flow. Flow regulation takes advantage of the reactor’s reactive feedback, so the feedback factor is critical. Fortunately, these parameters can be adjusted by design, including the geometry of the reactor, the choice of materials, and so on. Therefore, the control system can provide reference indicators for the design of the reactor as well as the process design. The cold pool can buffer the parameters of the steam generator and increase the delay time. The selection of cold pool capacity can be designed in conjunction with the operation scheme, and the control system can also provide a control scheme by combining control rod movement and flow adjustment.

96

A.-D. Sun and X.-Y. Wei

4 Conclusion In order to design the primary loop control system of the small lead-bismuth fast reactor, the dynamic characteristics of the primary circuit of the sodium-cooled fast reactor are studied in this paper. The power is adjusted by controlling the flow of the rod and the coolant, and the inlet temperature to the primary circuit. The main conclusions are as follows: (1) The PI controller has a good control effect, has good robustness to step disturbances, and can adjust power over a wide range. (2) The method of adjusting power by flow rate is feasible in a large power range. Provided a reference for the design of the primary loop control system. (3) It is feasible to use reactive feedback to adjust the power, and the process design of the core can be guided by the indicators of the control system. (4) The cold pool buffers the fluctuation of the parameters of the steam generator, and also increases the delay time. The selection of the capacity of the cold pool should be combined with the operation scheme.

Acknowledgements. This research is supported by National Natural Science Foundation of China (11875218), Innovative scientific Program of CNNC.

References 1. Yican, W., et al.: Development status and prospects of lead-based reactors. Nucl. Sci. Eng., 213–221 (2015) 2. Wallam, F., Tan, C.P.: Output feedback cross-coupled nonlinear PID based MIMO control scheme for pressurized heavy water reactor. J. Franklin Inst. 356(15), 8012–8048 (2019) 3. Zhong, C., et al.: Core optimization of 5MWth lead-bismuth cooled super small module reactor (LSMR) based on separative work. Ann. Nucl. Energy 120, 735–741 (2018) 4. Kanglong, Z., et al.: Conceptual design and analysis of the shim-rod assembly for lead-bismuth eutectic (LBE) cooled reactor. J. Univ. Sci. Technol. China, 911–916 (2015) 5. Guo, H., et al.: Design directions of optimized reactivity control systems in sodium fast reactors. Nucl. Eng. Des. 341, 239–247 (2019) 6. Nakayama, S., Okawa, T., Sekimoto, H.: Power control of CANDLE reactor by coolant flow rate. Prog. Nucl. Energy 53(7), 891–894 (2011) 7. Sekimoto, H., Nakayama, S.: Power level control of CANDLE reactor without control rods. Ann. Nucl. Energy 63, 427–431 (2014) 8. Jiashuang, W.: Research on the Control Systems of the Advanced Small Pressurized Water Reactor. Xi’an Jiaotong University, Xi’an (2017) 9. Shifa, W.: Control System Improvement and Simulation Studies on the Generation Nuclear Power Plant. Xi’an Jiaotong University, Xi’an (2019)

Research on Integrated Management Technology for Physical Protection System of Nuclear Facilities Wei-Wei Wen(B) , Jin-Xing Cheng, You-Peng Wu, Qing-Bo Wang, Xian-Bo Chen, Lang Li, Ai Yu, and Wei Yuan Beijing Institute of High Technology, Beijing 100025, China

Abstract. In this work, the functional requirements of the integrated management of physical protection system has been studied, by analyzing the composition of the physical protection system, as well as the development status and trend of the integrated management system. The design scheme is studied from two aspects of the composition of the physical protection integrated management system and the software architecture, so as to provide reference for the construction of the integrated management system of nuclear facilities. Keywords: Nuclear facilities · Physical protection system · Integrated management · Nuclear security

1 Physical Protection System 1.1 Definition of Physical Protection System Physical protection system is an important measure to achieve nuclear security in nuclear facilities, which is used to prevent criminal from robbing, stealing, illegally transferring nuclear materials, or destroying nuclear facilities and materials, as the basic guarantee for ensuring the safe and stable operation of nuclear facilities and the safe and scientific use of nuclear materials [1]. The physical protection system is composed of subsystems such as detection, delay and response. Each subsystem needs data sharing, functional linkage, intelligent analysis and auxiliary decision-making. In addition, the physical protection system of nuclear facilities usually has the characteristics of wide protection scope, large number of covered devices, and large amount of fusion information. It requires continuous and effective all-weather and all-region protection to prevent the existence of weak links and loopholes in protection. Therefore, it is necessary to build a comprehensive physical protection management system to achieve the organic integration of physical protection subsystems and improve the effectiveness of physical protection systems and operation and maintenance efficiency [2].

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 97–105, 2021. https://doi.org/10.1007/978-981-16-3456-7_11

98

W.-W. Wen et al.

1.2 Composition of Physical Protection System The physical protection system is composed of detection, delay, response and integrated management subsystem, as shown in Fig. 1. According to the definition of Nuclear Safety Guide "physical protection of nuclear facilities", the detection refers to the judgment of an unauthorized act that has occurred or is taking place, which includes: detecting this behavior, sending an alarm to the security control center, and evaluating the alarm; the delay refers to the measures to extend or delay the occurrence process of risk events; the response refers to the rapid action taken to stop the occurrence of risk events; and the integrated management is used to integrate and manage the functional modules of physical protection with the information process of physical protection system data sharing and function linkage of the existing system [2]. Integrated management platform Alarm

Video

Access

Communication

Power supply

manage

manage

manage

Emergency plan

Light control

Response

Poewer suply Light control Network support

Reaction power

Communication

Online patrol

Access control

Video surveillance

Intrusion detection

Detect

Auxiliary

Perimeter physical barrier Movable physical barrier Surrounding buildings

Delay Fig. 1. Structure diagram of physical protection system

1.3 Function Realization of Physical Protection System The realization of the function of the physical protection system requires that the unauthorized behavior can be detected and accurately checked under the monitoring and linkage of the integrated management subsystem. After the detection of unauthorized behavior, the effective delay should be immediately carried out, and the security forces are quickly deployed to intercept and stop. The earlier detection of unauthorized behavior, the more beneficial for the physical protection system to function. Only the detection alarm that has been reviewed is an effective alarm, and only the delay after the detection alarm is an effective delay. The index of the effectiveness of physical protection system is to intercept

Research on Integrated Management Technology

99

and stop the enemy through the response of the security force before the enemy achieves its goal [3]. Figure 2 shows the relationship between the enemy’s crime time and the function time of the physical protection system. It can be seen that in order to achieve the protection purpose of physical protection system, TL must appear before TC , and T0 , Ta as well as TL should be as close to the left end of the time axis as possible [4].

Fig. 2. The function realization of physical protection system

An effective and reliable physical protection system requires detection, delay and response functions, which can be integrated into an organic whole, realize unified management and efficient linkage, timely detect intrusion and destruction actions, implement delay in the alarm detection area, and quickly notify the security forces to carry out response actions [5, 6]. And the physical protection system has a large number of equipment. Taking a physical protection system of a nuclear power plant as an example, its investment is about 100 million yuan, about 220 sets of cameras, 85 sets of detectors, 44 sets of access card readers, etc., only relying on manual operation by the staff on duty Realizing the independent management of each functional module has a huge workload, and it is difficult to guarantee accuracy and timeliness in complex situations. This has become a major bottleneck restricting the effectiveness of the physical protection system of nuclear facilities [7]. In addition, the occurrence of the “prism door” incident has sounded the alarm bell for the protection of information security in China, especially in the integrated management system of physical protection. Once there are loopholes or “backdoors”, it will be like giving the enemy a key to invade, and the consequences will be unimaginable. Therefore, the development of integrated management software of physical protection system with independent intellectual property rights not only helps to improve the comprehensive management ability and management efficiency of physical protection system, but also helps to improve the information security of physical protection system.

100

W.-W. Wen et al.

2 Integrated Management System 2.1 Development Status of Integrated Management System Physical protection technology research started earlier in foreign countries. The integrated management system is mainly based on the management platform established by the access control alarm subsystem, with other subsystems connecting part of the signal into the access control subsystem to realize alarm linkage and other functions, such as “On Guard platform” of Lenel company, “EBI platform” of Honeywell, “Hirsh management system”, etc. The “On Guard platform” mainly relies on the management function of the access control system, and integrates some video signal processing functions through the interface protocol, and initially realizes the integration of security system management platform. The design basis of Honeywell’s EBI platform is also the intelligent building control in the field of security. Although some video signal processing functions are also integrated in the EBI platform, the management functions of all subsystems are not integrated into the management platform for the special needs of physical protection system. After decades of engineering application, Hirsh’s access control system has been continuously improved and improved, and it is one of the systems with high reliability in engineering application. Because the development of this system is still based on the access control system, although it also integrates some video signal management functions and can realize the linkage of video and alarm signal, it still fails to fully realize the seamless function modules of the physical protection system integrate. These management systems basically meet the functions of information sharing, comprehensive display and coordination management, and are widely used in domestic building security and nuclear facilities physical protection. However, this kind of system equipment compatibility is not high, especially for domestic equipment, it cannot be customized according to the demand, and the technical service and improvement in the later stage are not guaranteed. With the continuous development of the domestic security industry, a number of domestic self-developed security management system [8, 9], such as “Jieshun”, “Dashi intelligent”, “Huatuo aerospace”, “Pike Shenzhen”, etc., are mainly used in the field of intelligent buildings and residential security, with low system integration, lack of effective communication, linkage and other management functions. The “nuclear shield” physical protection and security integrated management platform (NVSG) was successfully developed in 2012, according to the actual needs of the nuclear industry, especially the nuclear power physical protection system. The “NVSG” platform as the first comprehensive management system for the physical protection of nuclear power plants in China, has rich functions, convenient operation, and meets the requirements of the application of nuclear power physical protection, but its technology maturity needs to be verified in engineering practice. 2.2 Development Trend of Integrated Management System In a word, with the continuous advancement of informatization, networking and intellectualization of physical protection system, the role and importance of integrated management system become more and more prominent. The requirement for development

Research on Integrated Management Technology

101

of integrated management system are mainly shown in the following aspects: Firstly, the localization of software and hardware should be strengthened. As the brain and nerve of the physical protection system, the integrated management system is related to the reliable operation and information security of the whole system, especially the occurrence of “prism gate” event, which has enhanced the sense of urgency of localization demand; Secondly, it need has comprehensive integration and function linkage capabilities. The integrated management system adopts the loose coupling structure, as shown in Fig. 3, so that the physical protection system can fully integrate the mainstream products in domestic market, and expand the system scale as well as function; Thirdly, it should has rich alarm response support capability. Through the positioning display of electronic map, functional linkage of physical protection equipment, auxiliary decision-making of emergency plan, statistical analysis of alarm information, etc., it can quickly implement physical protection response measures; Fourthly, it should has sufficient operation and maintenance support ability. According to the characteristics of physical protection system which is usually large, it can provide equipment management, personnel management, map management and other means to facilitate the operation and maintenance of physical protection system, and can realize flexible deployment and identity authentication functions to facilitate the use of different scenarios.

Fig. 3. Coupling structure of integrated management subsystem

3 Construction Scheme of Integrated Management System Since the construction scheme of the integrated management system should be based on the specific composition of the actual physical protection system, this chapter will discuss the construction scheme of the integrated management system from the three general levels of the functional requirements, system composition and software architecture of the integrated management system, so as to provide guidance for the construction of the specific integrated management system.

102

W.-W. Wen et al.

3.1 Functional Requirements of Integrated Management System The integrated management system should have the following basic functions: (1) Information integration and linkage function of each functional subsystem of physical protection system. It can realize the comprehensive integrated management ability of various subsystems (intrusion alarm, video management, access control, patrol management, special communication, power supply, lighting, etc.) of the physical protection system, with the capacity expansion ability. It can configure different permissions of users and standardize the management of system operators; It can realize the accurate positioning of alarm information, video linkage, alarm plan management, alarm information query, log management and report forms based on GIS map; It can also realize the management and configuration of the equipment in the physical protection system, and query and record the equipment status. (2) Physical protection system operation and maintenance management function. It has the ability of physical protection equipment status monitoring, fault alarm and spare parts management; it has the ability of nuclear security emergency plan management, action decision support, and dynamic tracking of emergency process; it has the ability of continuous evaluation of the effectiveness and reliability of physical protection system, and can find out the information in time according to the dynamic evaluation system of design basis threat and physical protection system change Weak links and loopholes. (3) Convenient operation and flexible deployment function. It has the customization of client dynamic menu, which can flexibly customize the client function menu according to the location and requirements of the client; it has the ability of multi screen display of client output and supports the display of maximum screen; it has the ability of rich information query and query conditions setting freely; it has the ability to customize and combine the functional modules of the integrated management system, which can be based on the actual situation of the physical protection system The system can be deployed quickly. (4) Localization requirements of integrated management system. The database of the integrated management system adopts the mainstream database software developed in China; it can run in the domestic mainstream operating systems; the server and workstation installed with the integrated management system should improve the localization rate as much as possible, and adopt the mainstream domestic CPU. 3.2 Composition of Integrated Management System The overall architecture will adopt symmetrical multi-level node structure, which means each node is deployed independently and connected through core services. The node structure will have more flexibility and expansibility, including system dynamic authority, dynamic routing, intelligent network management and other functions. The software of the integrated management system for physical protection system is installed on the main and standby server which is standby for each other and can be installed in different places. Under the server, there are multiple system workstations and auxiliary equipment, that can be set separately according to the requirements of function division. In order to achieve the goal of loose coupling and high cohesion, the SOA design and plug-in structure are adopted. In terms of architecture, the core services should consider

Research on Integrated Management Technology

103

the communication with heterogeneous clients, as well as compatibility with various existing hardware devices and access to new devices in the future, and upgrade and deployment capabilities should also be considered. The video monitoring subsystem is taken as an example to illustrate the system connection. The front-end equipment of the video monitoring subsystem includes spherical camera, gun camera, infrared camera, etc. and the information monitored by the camera is transmitted to the video server through the convergence switch, which is used to process and store the data of the front-end equipment. At the same time, the convergence switch is transmitted to the convergence switch of the integrated management system and the convergence switch of the core network equipment through TCP/IP. Among them, the convergence switch of integrated management system sends video information to application server, database server and integrated management system workstation respectively, and physical protection worker will monitor and operate based on the workstation; as well as core switch of core network equipment will send video signal to storage device for storage operation of video signal. 3.3 Software Architecture of Integrated Management System The integrated management system architecture with two layers is shown in Fig. 4. The first layer is the integrated display and linkage platform, and the second layer is the functional subsystems. The main functions of the first layer are integrated display, linkage platform and maintenance platform. Among them, the integrated display platform is mainly used by operators, which can intuitively display the main alarm information of the scene to the operators through the electronic map, and linkage call out the corresponding video images, record the alarm and corresponding linkage video images, at the same time, the operator can manually eliminate the alarm signal on the electronic map. The maintenance platform is mainly used by the maintenance personnel to fully understand the equipment operation status and maintenance status of each functional subsystem. The main function of the second layer is that each functional subsystem can complete its own system function independently, and each subsystem is open and configured with relevant interfaces (software and hardware) to ensure that the alarm linkage can be realized between the subsystems. The first layer and the second layer adopt independent and unified configuration relationship. At the same time, the first layer platform can call the data of all subsystems in the second layer, display the corresponding data information according to the needs of users, and do not occupy the resources of the second layer system. It can achieve unified management on the basis of ensuring the independence of each functional subsystem in the second layer. The integrated management software adopts the three-tier system of data persistence layer, business logic layer and business performance layer. The data persistence layer supports the storage server with domestic mainstream database generally; the business logic layer is based on 12 basic business modules, which is attached to the data access layer to do persistent external processing for all business data, and the device operation layer is used for operation and management of all devices in the system; the business presentation layer adopts C/S architecture to support multiple output devices and various size resolutions rate. The client access layer uses web service technology based on HTTP protocol to realize the call across heterogeneous platforms, and finally achieves

104

W.-W. Wen et al.

Fig. 4. Coupling structure of integrated management subsystem

the display of the whole platform equipment and various data as well as the persistence of various user data. (1) Data persistence layer. The high availability of the database is ensured by using the domestic database as the data persistence, and the switch between the main database and the standby database is realized, which mainly includes four parts: database server, multimedia storage server, alarm message server and report server. (2) Business logic layer. The business logic layer is divided into three parts: data access layer, device operation layer and core service. The 12 modules in the core service realize the operation of data access in the server and the setting of system equipment through data access layer and device operation layer respectively. The 12 modules are: equipment management module, video management module, alarm management module, access control management module, plan management module, electronic map module, patrol management module, communication management module, video analysis module, operation management module, report management module, user rights management module. (3) Business performance layer. Through the C# language development based on Windows client applications, to achieve a variety of security services and user management of the entire system. The business presentation layer is mainly divided into client program and display part. The client program realizes human-computer interaction through display wall, large screen splicing or video display and other terminal display devices.

Research on Integrated Management Technology

105

4 Summary The integrated management system can integrates all functional subsystems of physical protection system into a unified control display interface by using technology of computer network, information communication and database, so as to realize remote monitoring, data sharing and functional linkage, as well as realize efficient operation and rapid response. This paper analyzes the functional requirements, system composition and software architecture of the integrated management system, which provides a basic reference for the design and construction of the integrated management system. In the actual construction process of the integrated management system for physical protection system, it is also necessary to design and optimize the actual composition, linkage requirements, operation and maintenance process and emergency plan of each physical protection system.

References 1. 2. 3. 4. 5. 6. 7. 8. 9.

Had501 / 02-2008 physical protection of nuclear facilities IAEA.INFCIRC/255/REV4 Physical protection of nuclear materials and facilities (1999) Gjb5838-2006 physical protection criteria for military nuclear materials Yan, D.: Design method of physical protection system for nuclear power plant. Nucl. Eng. Res. Des. 51, 8–15 (2004) Liang, M., Feng, R., Jian-Yong, W., et al.: Physical protection technology of nuclear facilities. Nucl. Saf. 1, 64–68 (2013) Zhang, J.: Effectiveness analysis of physical protection system for nuclear power plant. Master’s thesis of Shanghai Jiaotong University (2009) Hong-Guang, F.: Methods of improving the monitoring efficiency of physical protection control center. Ind. Sci. Tribune 12(18), 256–257 (2019) Min, M., Ma, W.-J., Wu, J.-L.: Research on domestic physical protection integrated platform. Comput. Knowl. Technol. 12(19), 69–70 (2016) Jing, M.: Integrated control and management system of physical protection based on EBI. China High Technol. Enterprises 17, 17–18 (2014)

Calculation and Selection of Cross-Sectional Area of Instrumentation and Control Cable Core Xiao-Yu Liu(B) and Xin-Nian Huang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. In the process of designing instrumentation and control cables, cable selection is usually carried out according to engineering experience, and the influence of cable laying length and core cross-sectional area on signal transmission is often ignored. In view of several typical terminal equipment in nuclear power plant, this paper summarizes the factors affecting cable laying length in engineering practice. By analyzing four typical signal control loops DI/DO/AI/AO, and special temperature measuring loops such as thermocouple and thermal resistance, the limitation requirements of wire resistance and cable maximum laying length in different control loops are calculated. The calculation method can be used as a reference for the selection and rationality analysis of the cross-sectional area of instrumentation and control cables. Keywords: Nuclear power · Instrumentation and control cable · Laying length · Cross-sectional area

1 Introduction In the process of designing instrumentation and control cables, cable selection is usually carried out according to engineering experience, and the influence of cable laying length and core cross-sectional area on signal transmission is often ignored. In fact, the length of cables laid in actual projects ranges from tens of meters to hundreds of meters. When the laying distance is long but the selected cross-sectional area is too small, the conductor voltage drop is easy to be too large and the normal signal transmission of field equipment or instruments cannot be guaranteed [1]. On the contrary, if the cross section of the cable core is too large, it will cause waste of materials and increase the project cost [2]. Aiming at several typical terminal controlled objects in nuclear power plants, this paper gives the calculation method of cable core section and maximum laying length, and optimizes cable selection.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 106–113, 2021. https://doi.org/10.1007/978-981-16-3456-7_12

Calculation and Selection of Cross-Sectional Area

107

2 Principle Analysis Whether the terminal equipment or instrument in a control loop system can work normally is generally directly related to the load capacity of DCS card or the working voltage of the equipment [3]. The load capacity is the maximum load allowed for the normal operation of the control circuit. Since the resistance value of the controlled object has been fixed at the factory, the actual resistance in the loop system is mainly determined by the conductor resistance. The stronger the load capacity of DCS card, the greater the allowable wire resistance. The maximum voltage drop on the conductor in the loop system is determined by the working voltage of the equipment and the voltage fluctuation range that the equipment can receive during normal operation [4]. According to Ohm’s law, the maximum allowable wire resistance can be calculated. The laying length and the cross section of the cable core determine the resistance of the conductor, and its calculation formula is as follows: R=

ρl s

(1)

In this formula, ρ indicates conductor resistivity, in nuclear power projects, copper core cables are usually selected and have a resistivity of about 0.0178  · mm2 /m at room temperature. l indicates the cable laying length; s indicates the cross-sectional area of the cable core.

3 Calculation of Maximum Laying Length of Cable Control signals can be generally divided into four types: DI/DO/AI/AO. In combination with practical engineering application, the following is to calculate and analyze the maximum allowable conductor resistance and laying length in these signal loop system respectively. In addition, the measurement principle and wiring mode of thermocouple and thermal resistance are different from the conventional AI signal control loop, which are analyzed separately in the last section of this chapter. 3.1 Digital Input Signal The digital input signals of the control system mainly include the remote transmission signals of the switching value instruments and the switching state feedback signals of valves and pump. This switching value signal is actually a passive dry contact in the access control loop system, as shown in Fig. 1.

108

X.-Y. Liu and X.-N. Huang

DCS card

Rl

24VDC Limit switch Rs Rl

Fig. 1. Schematic diagram of DI signal control loop system

According to the requirements of DI card on DCS side for loop system, the inquiry current is 5 mA, the inquiry voltage is 48 V or 24 V, and the equivalent resistance Rs of DI card is about 250 . When the loop system current and voltage reach the inquiry value, the switch is judged to be closed. Therefore, the maximum allowable resistance of the conductor can be calculated by the following equation:   1 24 VDC (2) − Rs = 2387.5  Rlmax = 2 5 mA According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length can reach 134129 m. 3.2 Digital Output Signal The switching value output signal of the control system is equivalent to the control system supplying power to the load. The load capacity of DO card is about 1 W, which is relatively small. Therefore, the load of loop system is mostly relay unit, which drives the local valves action. Let’s make a detailed analysis of the following three situations. Secondary Loop System of Motor For the command signals of pump and motor-operated valve, the relay unit on the switch panel is the load driven by loop system, as shown in Fig. 2. According to relay unit’s working principle, when the coil with iron core is energized, the current in the coil will generate a magnetic field, and the magnetic field absorbs the armature to move to make the contacts on and off. Generally, in the trip loop system or the closing loop system, a large current will be generated in some cases, thus causing the cable voltage drop to be too large [5]. According to the limitation conditions of DO card, its maximum load current is 50 mA, and the allowable voltage fluctuation during normal operation is 10%, so the maximum allowable resistance of the conductor can be calculated by the following formula: Rlmax =

24 VDC × 10% = 24  50 mA × 2

(3)

According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length is about 1348 m, copper core cables

Calculation and Selection of Cross-Sectional Area

109

with a cross-sectional area of 1.5 mm2 can be laid 2022 m. In actual engineering, the cable laying length is generally within 1,000 m, and the cable cross section can be appropriately increased in extreme cases.

DCS card Rl 24VDC

380VAC Relay unit

Rs Rl

Fig. 2. Schematic diagram of DO signal motor control loop system

Electric Actuator Motor-operated valve in nuclear power plants are generally equipped with integrated electric actuators. Take a typical fire valve as an example, the rated voltage is 48 VDC and the rated current is 0.3 A, and the limit voltage for normal operation of the actuator is 40.8–52.8 VDC. Therefore, the maximum allowable resistance of the conductor can be calculated by the following formula: Rlmax =

48 VDC − 40.8 VDC = 12  0.3 A × 2

(4)

According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length is about 674 m, copper core cables with a cross-sectional area of 1.5 mm2 can be laid 1011 m. Solenoid Operated Valve Take the commonly used ASCO solenoid operated valve as an example, with a rated voltage of 48 V and a nominal power of 3.6 W, the solenoid operated valve internal resistance is: R=

3.6 W2 = 640  48 V

(5)

Solenoid operated valve can receive 10% voltage fluctuation during normal operation, so the maximum voltage loss of the conductor is 4.8 V and the minimum current in loop system is Imin . Then the maximum allowable resistance of the conductor can be calculated by the following formula:   1 4.8 VDC 1 4.8 VDC × 640  = 35.56  (6) Rlmax = × = 2 Imin 2 48 VDC − 4.8 VDC According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length is about 1994 m.

110

X.-Y. Liu and X.-N. Huang

3.3 Analog Input Signal Analog input signals of the control system mainly include remote signals of analog instruments and valve position feedback signals of adjusting valve, etc. The AI card usually needs to supply power to the instrument or controlled equipment. Taking Rosemount 3051 pressure transmitter commonly used in nuclear power plants as an example, according to its loop system load limit diagram, as shown in Fig. 3, when loop system voltage is 24 VDC, the maximum resistance in loop system is: R = 43.5 × (24 − 10.5) = 587.25 

(7)

According to the characteristics of AI loop system, this resistance value is the sum of the conductor resistance and the internal resistance of AI card. Therefore, when 587 resistors are connected to the loop system, according to Ohm’s law, the instrument voltage division is as follows: When the loop system current is 4 mA, the maximum voltage division of the instrument is: Umax = 24 VDC − 0.004 A × 587.25  = 21.651 V. When the loop system current is 20 mA, the minimum voltage division of the instrument is: Umax = 24 VDC − 0.02 A × 587.25  = 12.255 V.

Fig. 3. Load limit diagram of Rosemount 3051 loop system

It can be seen that when the output current of AI card changes in the range of 4–20 mA, the partial voltage of the instrument is in the working area of 10.5–42.4 V, which can drive the instrument to work normally. In addition, it is necessary to consider the requirements of HG/T 20509-2000 “Code of Process Controlling and Measuring Instrumentation for Chemical Plant” for DC power supply voltage of instruments. When ordinary power supply is used for power supply, the voltage shall be 24 V ± 1 V; When UPS is used for power supply, the voltage shall be 24 V ± 0.3 V [6]. Schematic diagram of AI signal control loop system is shown in Fig. 4. Therefore, in an ordinary power supply power supply loop system, the maximum allowable resistance of the conductor can be calculated by the following formula: 1 1 VDC = 25  (8) Rlmax = × 2 0.02 A According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length is about 2106 m.

Calculation and Selection of Cross-Sectional Area

111

Fig. 4. Schematic diagram of AI signal control loop system

3.4 Analog Output Signal Analog output signal of the control system is mainly the command signal received by the valve positioner. Usually, the AO card outputs a control current of 4–20 mA to the valves positioner, and the signal supplies power to the valves positioner at the same time. Schematic diagram of AO signal motor control loop system is shown in Fig. 5. When the loop system resistance is too large, the AO card is not sufficient to maintain a large control signal transmission and distortion may occur. Taking the commonly used DVC6200 intelligent locator as an example, its equivalent load is 550 ,and the load capacity of AO card is 750 . Therefore, the maximum allowable resistance of the conductor is 100 , According to formula (1), when copper core cable with core cross-sectional area of 1.0 mm2 is selected, the maximum laying length is about 5617 m.

Fig. 5. Schematic diagram of AO signal motor control loop system

3.5 Temperature Measuring Loop System The temperature transmitter commonly used in nuclear power plants is mainly PT100 thermal resistance or K indexing thermocouple. Due to the particularity of its measurement principle, the signal transmission process is obviously different from other analog instruments. The following is a separate analysis and calculation for typical Temperature Measurement loop system. As shown in Fig. 6, the thermal resistance temperature measurement loop system adopts a four-wire connection method in order to avoid the influence of wires on the

112

X.-Y. Liu and X.-N. Huang

measurement [7]. According to the principle of thermal resistance temperature measurement, the constant current source is provided through two cables, and the other two cables are connected to the voltmeter, so there is no voltage loss on the conductor. Therefore, the thermal resistance temperature measurement loop system signal cable can select a copper core cable of 1.0 mm2 , and the cable length has no actual influence on thermal resistance signal transmission.

Fig. 6. Schematic diagram of thermal resistance four-wire connection control loop system

According to the thermocouple temperature measurement principle, the voltage difference between the two ends of the thermocouple is mainly determined by the contact potential. As shown in Fig. 7, when two conductors of different materials come into contact, free electrons diffuse from conductors with large electron density to conductors with small density. Through this process, a contact potential is formed, and the temperature of the contact point determines the amount of electron diffusion.

Fig. 7. Thermocouple temperature measurement schematic diagram

Since thermocouples are mostly made of precious metals, cheap metals with similar thermoelectric characteristics to thermocouples at lower temperatures (below 100 °C) are selected as compensation conductors in actual projects. According to the law of intermediate conductor, the length of compensation conductor does not affect the measurement of thermocouple, so the voltage drop between DCS and field thermocouple is only related to the material of thermocouple and temperature and is not affected by intermediate process [8]. Therefore, as long as the total resistance of the temperature measuring loop system is within the load capacity range of the clamping piece, the resistance of the conductor can be ignored. In practical application, it is often the electromagnetic interference of compensation conductor that affects the measurement accuracy, so it is particularly important to do a good job of necessary shielding. At the same time, the DCS is designed with an input

Calculation and Selection of Cross-Sectional Area

113

compensation bridge, an amplified loop system and a feedback loop system, which can compensation the thermoelectric potential on the conductor.

4 Conclusion Based on the engineering practice, this paper gives the calculation method of the maximum laying length of instrumentation and control cable in typical DI/DO/AI/AO signal loop and special temperature measuring loop such as thermocouple and thermal resistance. In actual cable laying, the laying length of a single cable is generally within 1,000 m, so based on the above calculation, the following conclusion can be drawn: motor-operated valve command signals powered by DCS need to choose 1.5 mm2 crosssectional copper core cables, and other signal loop system needs 1.0 mm2 cross-sectional copper core cables, which can meet the signal transmission requirements. In the intrinsic safety detection loop system, the influence of safety gate on loop system voltage drop should also be considered. Using the method described in this paper, the rationality of cable core section selection can be preliminarily judged. In engineering design, in addition to the above limitation conditions such as the operating voltage requirements of terminal equipment and DCS load capacity, the signal transmission characteristics of different control loop system should also be considered. Such as the temperature and humidity of cable laying environment, electrostatic interference, etc., which may also affect the signal transmission on the circuit.

References 1. Du, J.-Z., Liu, Y-C., Wei, G.-H., et al.: Problems and solutions of control cables and earthing section selection. Electr. Power Constr.(09), 115–117 (2010) 2. Chen, X.-C.: Selection of energy conversation for section of cable core. Energy Saving Nonferrous Metallurgy (05), 40–42 (2010) 3. Wang, C.-L.: Design and Application of Distributed Control System (DCS). Electronic Industry Press, Beijing (2004) 4. Yang, J.-F.: Research on the relation between length and sectional area of thermal control cable in power plant. Electromech. Inf. (30), 42–45 (2015) 5. Kang, Z.-L.: Research on selection of cable section. Nonferrous Mining Metallurgy (04), 49–52 (2002) 6. HG/T 20509: Design Code for Instrument Power Supply System (2000) 7. Shi, R., Liu, W.-J., Zheng, J.-G.: Automatic Instrument and Process Control. Electronic Industry Press, Beijing (2018) 8. Chen, Y.-X., Zuo, F., Dong, A.-H., et al.: Chemical Measurement and Instrumentation. Chemical Industry Press, Beijing (2010)

The Formulation of BOP Auxiliary System Centralized Control Network in Nuclear Power Plant Xiao-Feng Li1,2(B) , Zhi-Yin Liu1,2 , Lei Jiang1,2 , Heng Li1,2 , and Zhou Xiao1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

Shenzhen 518045, Guangdong, China [email protected] 2 China Nuclear Power Engineering Company Ltd., Shenzhen 518045, Guangdong, China

Abstract. With the rapid development of modern computer technology, control technology and communication technology, it has become a practical problem to optimize the monitoring mode of BOP sub-items, to seek more reasonable and effective, more economical and convenient, more stable and reliable engineering application solutions that reflect the mature automation technology today and to uniformly monitor and design these sub-items. In particular, it has been mature in thermal power plant applying auxiliary control network technology in auxiliary workshops, and the technology has been widely used in chemical industry, metallurgy and other industries. BOP sub-items are networked on the basis of the current monitoring mode, and without affecting the project progress. Realizing of moderate centralized control will improve the level of automatic operation and management of nuclear power plant, and meet the requirements of informatization management of the plant. Keywords: Auxiliary system · Auxiliary control network · BOP

1 Introduction 1.1 A Subsection Sample Different from the unit digital control system (hereinafter referred to as DCS), BOP auxiliary system centralized control network (hereinafter referred to as BOP auxiliary control network) is a centralized monitor, control and management network of process systems or sub-items which are distributed dispersedly and play an auxiliary role in unit operation through network technology, so as to promote informatization management of the whole plant. BOP auxiliary control network has not been applied materially in China in nuclear power projects whether under construction or in service. The operation and management mode of on-site PLC control system plus computer monitoring are still used in controlling BOP auxiliary system and sub-items of nuclear power plant, which lead to the phenomenon of "information islands". This kind of operation and management mode not © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 114–122, 2021. https://doi.org/10.1007/978-981-16-3456-7_13

The Formulation of BOP Auxiliary System

115

only has a relatively low level of informatization, but also brings a lot of inconvenience to the spare parts, operation and maintenance of the instrument control equipment. With the development of network technology, the BOP auxiliary system is adopted to monitor the network, which is conducive to improving the informatization level of the unit, realizing the unattended operation of sub-items and the reduction of operating personnel and increasing efficiency. It is an inevitable trend for the development of nuclear power plant auxiliary system and sub-items design in the future.

2 BOP Auxiliary System Control Network Analysis The BOP auxiliary system is not closely related to nuclear power plant units, considering its operation. The majority of the systems operate intermittently. And most of the auxiliary systems serve multiple units simultaneously. Normally, nuclear safety functions are not involved. Even system failure or short-term outage will not immediately lead to the withdrawal of the unit state [1]. With the rapid development of modern computer technology, control technology and communication technology, it has become a practical problem to optimize the monitoring mode of BOP sub-items, to seek more reasonable and effective, more economical and convenient, more stable and reliable engineering application solutions that reflect the mature automation technology today and to uniformly monitor and design these subitems. In particular, it has been mature in thermal power plant applying auxiliary control network technology in auxiliary workshops, and the technology has been widely used in chemical industry, metallurgy and other industries. BOP sub-items are networked on the basis of the current monitoring mode, and without affecting the project progress. Realizing of moderate centralized control will improve the level of automatic operation and management of nuclear power plant, and meet the requirements of informatization management of the plant. 2.1 Status of Auxiliary System Control At present, the BOP auxiliary system of nuclear power plant is generally equipped with local duty room and independent control device. Most of them use local PLC control system and local operation station to realize the detection and control of auxiliary process system. Only a small amount of relatively important information of the system is sent to the main control for indication or alarm through hard wiring. Some systems need operators to operate on the local control device when performing specific operations. The schematic diagram of the control system is shown in Fig. 1 below. In practice, the BOP auxiliary system is not limited to the several BOP auxiliary systems shown in Fig. 1. The locations of sub-items are scattered, and the information exchange is very little between the main control room and each sub-item, which is not convenient for monitoring and maintenance management of site operation. 2.2 Solution of BOP Auxiliary Control Network A BOP auxiliary control network solution is proposed to solve the above problems. With reference to the relevant regulations in the Technical Rule for Thermal Power

116

X.-F. Li et al.

To DCS

Hard-wired Master control room On-site control room

SDA

CPP

...

...

...

...

Fig. 1. Schematic diagram of the current BOP auxiliary control system

Automation Design for Auxiliary System (shop) of Fossil Fuel Power Plant (DT/L5227– 2005), auxiliary systems of similar nature can be appropriately merged with control points according to geographical distribution [2]. The “water” system accounts for a large proportion of the auxiliary system of nuclear power plant. The “water” related systems and sub-items are centralized through the Ethernet. And the monitoring room is located in the chemical water plant to realize centralized control and unified management, hereinafter abbreviated as the “water” solution. The solution is preferred as it is in line with the current operational requirements of nuclear power plants, as shown in Fig. 2 below. To 1DCS

To 2DCS Operator staƟon

Firewall

Engineer staƟon

Server

Printer

Firewall SAD TCP/IP

SDA

CPP

...

...

...

...

Fig. 2. Schematic illustration of BOP auxiliary control network structure for nuclear power plants

Another solution is to make an auxiliary control network of full range, which can cover in all the auxiliary control systems of a nuclear power plant, realizing the overall centralized control of the BOP system, hereinafter referred to as the “whole” solution. There is no essential difference between the two solutions, except the scope. Considering that it is applied to nuclear power projects for the first time, it could be more reasonable to give priority to including water-related sub-items into the scope of the

The Formulation of BOP Auxiliary System

117

auxiliary system centralized monitoring network. At the same time, plan to reserve all kinds of interfaces at one time, and lay a good foundation for subsequent expansion on the basis of the future.

3 Network Architecture and System Composition The auxiliary control network can be constructed by various networks, typically singleloop network, double-loop network and star network [3], And maybe hybrid network architecture according to the equipment function and arrangement. The single-loop network is shown in Fig. 3 below.

Historical Data Server

Centralized Monitoring Network

Operator StaƟon

Operator StaƟon

Operator StaƟon

KNS

Screen Server

Fiber OpƟc Exchange

Local Control System 0SHY PLC

0SWD PLC

0SDA PLC

0CTE PLC

1ATE PLC

1SIR PLC

1SIT PLC

2ATE PLC

2SIR PLC

3ATE PLC

2SIT PLC

3SIR PLC

3SIT PLC

4ATE PLC

4SIR PLC

4SIT PLC

Fig. 3. Schematic diagram of a single-loop network.

The single-loop network adopts the hand-in-hand structure, and the data can be transmitted in two directions that are connected with the Ethernet communication module [7]. One communication module failure in the loop affects only the monitoring of the system in which the communication module located, the other systems are unaffected. The main advantage of the network is simple structure, easy to build and maintain [5]. In the case of on-site monitoring, the single-loop network can still meet the needs of centralized control of auxiliary systems.

Historical Data Server

Operator Station

Operator Station

Centralized Monitoring Network Fiber Optic Exchange

Operator Station

KNS

Screen Server Fiber Optic Exchange

Local Control System 0SHY PLC

0SWD PLC

0SDA PLC

0CTE PLC

1ATE PLC

1SIR PLC

1SIT PLC

2ATE PLC

2SIR PLC

2SIT PLC

3ATE PLC

3SIR PLC

Fig. 4. Schematic diagram of a double-loop network

3SIT PLC

4ATE PLC

4SIR PLC

4SIT PLC

118

X.-F. Li et al.

See Fig. 4 for double-loop network. The communication equipment of this network mainly includes switch, photoelectric converter, optical fiber, and network server, etc. The communication system consists of two completely independent paths (data bus), including redundant bus interface module. Two data buses will always work at the same time, one data bus failure does not affect operator to monitor and operate normally. In order to provide reliable and effective communication among systems, the data communication system will be connected with the control system input/output processing system, data acquisition system and system peripherals. If one communication data bus system fails, the other should be put into operation immediately to ensure smooth and undisturbed communication.

Fig. 5. Schematic illustration of the star network structure

The star network is shown in Fig. 5. The communication equipment mainly includes core switch, access switch, network server, data server, etc. It can be connected by optical fiber or twisted-pair cable. If optical fiber is used, the network equipment also includes photoelectric converter and optical fiber. The main switch receives the data from each system at the same time. When the main switch fails, the standby switch immediately takes over the operation of the network main loop network without affecting the monitoring of the system. In order to provide reliable and effective communication between systems, the data communication system will connect the control system input/output processing system, data acquisition system and system peripherals. If one communication data bus system fails, the other should be put into operation immediately to ensure smooth and undisturbed communication. The operator station and the engineer station in the above three solutions are communal to each auxiliary system. The BOP auxiliary control room of nuclear power plant can be set up in the desalination plant and shared with the desalination system control room. At the same time the on-site control room can be canceled, the on-site electronic

The Formulation of BOP Auxiliary System

119

equipment room retained. Considering the actual needs in operation, some important systems such as condensate system, hydrogen production station can retain the on-site host computer on the spot, and for the other systems touch screen can be set on the spot as a temporary and supplementary means for debugging starting and network failure. To lay the foundation for further improving the information level of the whole unit, and solve the problem of “information island” thoroughly, the BOP auxiliary system control network has communication interface DCS with each unit, which can send the relevant data information to the main control room for display, storage and analysis according to the need [6]. After the BOP auxiliary control network is adopted, the operator can realize centralized control and control of the system or sub-items in the control room, reduce the frequency of operation inspection, which in turn lead to a decrease in the number of field operators. The efficiency and economy of system operation are improved.

4 Analysis on the Implementation of BOP Auxiliary Control Network BOP auxiliary control system control network of nuclear power plant is realized in two situations: new construction and in-service transformation. Whether a new project or an in-service renovation, it is necessary to analyze and demonstrate the progress, interface, purchase, installation, commissioning, operation and maintenance of the auxiliary control network. 4.1 Impact Analysis of New Construction Progress In order to meet the requirements of the unit DCS manufacturing schedule, in the nuclear power design of the new project, the general special schedule plan will be drawn up for management and tracking to ensure that the system design will be basically solidified in the preliminary design stage, and to minimize the impact of later system design changes on the DCS schedule [4]. When the BOP auxiliary control network solution is adopted, the BOP system design schedule and DCS are basically no longer related, which can minimize the impact on the DCS, thus reducing the progress pressure on the BOP auxiliary system design caused by the advanced manufacturing schedule. It is beneficial to the construction schedule control. 4.2 Impact Analysis of New Works Design The control room should be set up separately after the BOP auxiliary control network solution is adopted. Most of the signal exchange DCS with the unit will be transferred to the centralized control network of the BOP auxiliary system, which brings the following effects (Table 1):

120

X.-F. Li et al. Table 1. Design impact assessment tables.

S/N Impact item

Description

Assessment and response measures

1

Unit operating Description and procedures and system requirements of unit operating procedures; operating procedures and system operating procedures;

2

Affect the physical interface with the unit DCS

Change of physical Solved through negotiation with interface and functional DCS. It will not affect the overall interface with DCS progress of the unit’s DCS

3

Cable path channel

Changes in the type and quantity of cables between each sub-item and DCS

4

Auxiliary control room New layout design of layout design auxiliary control room

Consider sharing with a sub-item (demineralized water) control room. The price of land and construction is not affected. It can be implemented when conditions are met

5

Auxiliary Control System Technical Specification

The scope of supply and technical requirements of each sub-item procurement technical specification shall be formulated uniformly

6

Power supply design of Request to increase auxiliary control dual power switch + system uninterruptible power supply

The power capacity requirement is less than 5 KW. The new load will not have a significant impact on the electrical professional design

7

Control response time requirements

BOP has no special requirements for response time.. The response time is within the allowable range (the time for one-way data upload and command to reach the entire channel is less than 1 s)

Changes in procurement requirements and scope of supply

After the auxiliary control network is adopted, the processing of the signal intermediate link is increased. The overall response time of the system lags behind

The operating procedures of the BOP system only need to be adjusted according to the changes in the management method, which can be resolved

The communication cables are all optical fibers, and the total number of cables is reduced, which is conducive to the overall planning of the cable channel, and has no effect on the cable channel planning in the corridor

4.3 Impact Analysis of New Construction Procurement One of the basic requirements of BOP auxiliary control network is to realize the unified brand, communication interface, data interface and man-machine interface of the PLC control device [8]. In order to achieve the above purpose, it is necessary to adjust the

The Formulation of BOP Auxiliary System

121

purchasing strategy of each auxiliary system (sub-items) of the original nuclear power reference project. There are two ways for selection: Mode 1: one of the auxiliary suppliers is responsible for BOP centralized control of the supply of network equipment, as well as the integration of interfaces with other auxiliary systems, and to ensure the overall performance of the centralized control network. The biggest advantage of the solution is that it will not have a significant impact on the existing procurement model. Mode 2: Separate the control device (PLC) from the original supply scope of different Party B complete systems. Party A will conduct unified bidding and procurement. Separately entrust a third party to carry out the integrated design. The biggest advantage of this scheme is that it can ensure the unity of design requirements. However, the shortcomings are also prominent. For the sake of intellectual property, the logic diagram is only a functional expression, which will set up a great obstacle for the third party control system integrator in the process of specific logic configuration design. No matter which solution is adopted, the overall design institute of nuclear power project is required to make detailed regulations on the software and hardware’s brand, performance index, communication interface, picture line type, color, graphic symbol, etc. in each procurement technical specification. 4.4 Impact of Transformation on In-Service Power Plant Operation Based on the mode of in-service transformation, the original control equipment and onsite monitoring means of the BOP system are retained. On this basis, the auxiliary control network is added to extract the information from the control system to the monitoring layer, display and operate centrally, and have the function of switching operation right at any time. When the unit has been in operation, independent design and procurement of BOP auxiliary control network will not affect the unit operation. The schedule may have a certain impact on the overhaul progress of the unit. For example, the design and layout and software filling can be carried out during normal operation, and some access work can be carried out in a short interval period of a single BOP system. The overall system connection and step-by-step commissioning using the overhaul window will not affect the overhaul progress. The focus is on the impact of operation mode and management which is brought about by the addition of auxiliary control network ports. The BOP system has its own independent control. There are rules to be followed in the inspection and examination procedures. However, with the addition of the auxiliary control network, the changes brought about by breaking the original rules may bring a certain impact on the stable operation of the BOP system. In order to avoid such an impact, it is necessary to carry out adaptive planning and training on the operation mode of the auxiliary control network in advance, make adjustments to personnel deployment, inspections, and examination procedures, manage the auxiliary control network spare pieces and spare parts well.

122

X.-F. Li et al.

5 Conclusion Nuclear power plants can learn from the mature application experience of the abovementioned industries, especially thermal power, without technical problems and application risks. After the BOP auxiliary system is adopted to centrally monitor the network, it can significantly improve the informatization level of the unit, reduce staff and increase efficiency, and has many other advantages such as convenient spare parts management and system maintenance. This paper presents a centralized monitoring network plan for the BOP auxiliary system of nuclear power plants, analyzes the impact of the adoption of the BOP auxiliary system centralized monitoring network on the current mature nuclear power plant design, procurement, construction, and commissioning modes, and lays the foundation for the transformation implementation of the BOP auxiliary centralized monitoring network in new and in-service constructions.

References 1. Guangdong Nuclear Power Training Center, 900 MW Pressurized Water Reactor Nuclear Power System and Equipment. Atomic Energy Press (2007) 2. Thermal Power Plant Auxiliary System(workshop), Thermal Automation Design. DL/T 52272005 3. The report of BOP Auxiliary System Centralized Control Network in Nuclear Power Plant, Project file 4. Jiang, L.: Application research report of BOP auxiliary control network in ACPR1000 5. Wang, H.: Design instruction manual - BOP auxiliary control network design principles 6. Tian, H.: Technical rule of thermal power automation design for auxiliary system (shop) of fuel power plant (DL/T 5227-2005). 7. Sun, D.: Auxiliary workshop control network 8. Jiang, L.: The Appliance of BOP Auxiliary System Centralized Control Network in Nuclear Power Plant

An AHP-Fuzzy Complex Evaluation Method for MCR Human Factors Engineering Verification and Validation Yuan Gao(B) and Yi-Wei Ma China Nuclear Power Engineering Co., Ltd., Beijing, China

Abstract. Human Factors Engineering (HFE) design of Main Control Room (MCR) is very important to the performance of operators and the operation of Nuclear Power Plants (NPPs). In order to reduce potential human errors, the design of an MCR must consider appropriate human factors. Human factors verification and validation (V&V) evaluations comprehensively determine that the HFE design conforms to HFE design principles. HFE V&V enables plant personnel to successfully perform their tasks to assure plant safety and operational goals. However, in the design verification process, the evaluation of some qualitative design indexes is largely limited by the subjective factors of the tester. In order to improve this deficiency, this paper presents an AHP-fuzzy complex evaluation method based on nuclear industry standard and MCR design experience to assist MCR HFE design verification. The proposed method provides a set of MCR HFE evaluation indexes, the determination of weight factors and fuzzy complex evaluation model. Some preliminary evaluation results are provided and discussed. Keywords: HFE · Design verification · Complex evaluation · AHP · MCR

1 Introduction In nuclear power plant, the main control room system is an ensemble of human-system interface (HSI), operators, operating procedures, training programs and related facilities, which together maintain the correct execution of control room functions. The basic goal of the control room design is to provide operators with timely, accurate, and complete information about the functional status of power plant equipment and systems. All operating conditions are considered in the design of the control room to optimize the operation tasks, reduce the workload of supervision and control for operators, and provide necessary information to other facilities outside the control room. Special attention must be paid to the human factors (HF) principle and human characteristics in the design to ensure that the functions necessary to accomplish plant goals are sufficiently defined and analyzed so that the allocation of functions to personnel and machine resources can take advantage of human and machine strengths and avoid human and machine limitations. Since the Three Mile Island accident, the importance of human factors engineering (HFE) in the control room design of nuclear power plants (NPPs) has been highly © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 123–133, 2021. https://doi.org/10.1007/978-981-16-3456-7_14

124

Y. Gao and Y.-W. Ma

emphasized by the industry. Human factors verification and validation (HF V&V), as an important part of human factors engineering, is used to evaluate whether the control room system design complies with human factors engineering principles and whether the human-system interface design can effectively support the task requirements of operators to achieve the power plant operation goals. So far, the HF V&V has become an important means to identify the design defects as well as important human errors and covers the whole life cycle of MCR design.

2 Human Factors V&V Overview The HF V&V element consists of four major activities: Sampling of Operational Conditions, Design Verification, Integrated System Validation, and HED Resolution [1, 2] (Fig. 1). Design Verification

Task Support Verification

HSI Inventory and Charaterization

HFE Design

Sampling of

Verification

Operational

HED Resolution

Conditions Integrated System Validation

Fig. 1. HFE V&V process

Design verification, as part of HFE V&V, runs through the entire HSI design process of the control room, and is an important means of verifying and confirming the HFE design of the control room. Design verification can use MOCKUP models or existing engineering verification platform to allow verifiers (including operators, HFE personnel, operation experts, etc.) to feel the real human system interface and confirm the rationality and feasibility of the design scheme. The integrated system validation (ISV) launches before commissioning of the nuclear power plant after completion of human engineering analysis and design work. Its purpose is to provide evidence that the integrated HSI adequately supports operating crew performance in the safe operation of the plants [4]. ISV comprehensively considers factors such as hardware, software, procedures, operators, etc., and uses personnel effectivenessbased tests covering a series of representative test scenarios to demonstrate and evaluate the availability and fault tolerance of HSI designs, as well as procedures, training, and the sufficiency of the staffing level of the MCR, which can determine the appropriate support for safe operation of power plant [5]. In an MCR human system interface design process, design verification often starts at the later stage of the detailed design of the HSI. The verification form is mainly

An AHP-Fuzzy Complex Evaluation Method for MCR HFE

125

carried out by guideline comparison, cognitive walkthrough or questionnaire. However, for qualitative evaluation indexes that are difficult to quantify, subjective factors of the verifiers have a great influence in the design verification process. Meanwhile, the verification process often focuses on the satisfaction of a single standard clause and lacks the overall evaluation of human factors design results. This paper proposes to apply a fuzzy complex evaluation method based on the analytic hierarchy process (AHP) to conduct quantitative analysis of the verification content, so as to reduce the influence of subjective factors in the verification process and grasp the overall quality of human factor design in the control room.

3 AHP-Fuzzy Complex Evaluation Model 3.1 Establishment of Evaluation Index System The evaluation index system is the basis for evaluating the quality of HFE design. However, the current research lacks a unified evaluation index system for control room HFE design of human-system interfaces. This paper is based on NUREG 0700 specified by the US Nuclear Regulatory Commission [3], which is widely used in the domestic nuclear power industry, with reference to GB/T 13630 Design of Control Room of Nuclear Power Plants and ISO 11064 Ergonomic Design of Control Centers series standards [6, 7], combined with engineering design experience, established a set of evaluation indexes for HFE design in design verification process at different design phase. Figure 2 shows the process of the AHP-fuzzy complex evaluation. Table 1 shows the evaluation index system for control room HFE design at difference design phase. 3.2 Multilevel Fuzzy Complex Evaluation Model The top layer of the evaluation index system is the target layer, and the middle layer is the evaluation index layer, which is a general description of an index in the system. The middle layer inherits from top to bottom, subordinate to the target layer, and at the same time has a dominant relationship with the next layer. For complex systems, a multi-level fuzzy complex evaluation model must be applied to sort out the evaluation indexes involved in the evaluation objects, and gradually divide the layers on the basis of large categories, refine the evaluation indexes, and finally obtain the most accurate evaluation results. In actual engineering project evaluation, it can be stratified according to the complexity of the influencing indexes. The first-level indexes can be stratified into second-level indexes. If the information contained in the second-level indexes is still complicated, the stratification can be continued to obtain the third-level or more multi-level evaluation model. This paper mainly introduces the two-level evaluation model. Determine Index Weights. Use Analytic Hierarchy Process (AHP) to determine index weight. The basic idea is to decompose the problem into several levels and several indexes by analyzing the elements contained in the complex problem and their interrelationships, and compare the indexes of each layer according to certain criteria at each level, and then quantitatively form the Judgment matrix. By calculating the maximum eigenvalue

126

Y. Gao and Y.-W. Ma Standards &

Theoretical basis of

Engineering design

guidelines

evaluation model

experience

Analysis of

MCR Layout

evaluation factors Sit-down Console Evaluation index

Stand-up Console

system

Digital HSI Conventional HSI

AHP

Determine the weight factors

Environment

Complex

Fuzzy complex

evaluation model

evaluation

Case Study

Fig. 2. Evaluation process

of the judgment matrix and the corresponding orthogonalized eigenvector, the weight of this index to the criterion is obtained. 1) Establish a judgment matrix The judgment matrix is a judgment value for indicating the relative importance of each index at the same level. The relative importance of each index is determined by several experts, and a relatively important proportional scale of 9th quantile is introduced (9, 7, 5, 3, 1, 1/3, 1/5, 1/7, 1/9). Set the number of indexes included in the target layer, criterion layer, and scheme layer to 1, j, and k. The relative relationship between the two factors is judged according to the grading scale, so as to construct a comparative judgment matrix. Table 2 shows the judgment matrix of the criterion layer to the target layer, abbreviated as A-B matrix. Table 3 shows the judgment matrix of scheme layer to criterion layer, abbreviated as B-C judgment matrix. 2) Calculate the relative weight under a single criterion The relative weight of the criterion layer to the target layer: Wi = (w1 , w2 , . . . , wn )T

(1)

The relative weight of the scheme layer to the criterion layer: Wl = (w1l , w2l , . . . , wnl )T , i = 1,2,..., k

(2)

An AHP-Fuzzy Complex Evaluation Method for MCR HFE Table 1. Evaluation index system for HFE design

Table 2. The judgment matrix of A-B A

B1 B2 … Bj

B1 a11 a12 … a1j B2 a21 a22 … a2j … …

…

… …

Bj ai1 ai2

aij

127

128

Y. Gao and Y.-W. Ma Table 3. The judgment matrix of B-C B

C1 C2 … Cj

C1 a11 a12 … a1k C2 a21 a22 … a2k … …

…

… …

Cj ai1 ai2

aik

3) Find the maximum eigenvalue λmax =

n  (Aw¯ i ) i=1

(3)

nwi

4) Consistency check The judgment matrix is an order of the importance of the subjective indexes, which includes the subjective color. Therefore, it is impossible to determine whether the judgment matrix conforms to the consistency, so consistency checking must be adopted to avoid errors. Use CI to measure the degree of inconsistency of the judgment matrix: CI =

λmax − n n−1

(4)

n is the order of judgment matrix. The smaller the value of CI, the better the consistency of the judgment matrix. In order to control the degree of consistency within a certain range, the random consistency index RI is introduced [8] (Table 4). Table 4. The different value of RI with different rank n

1 2 3

4

5

6

7

8

9

RI 0 0 0.58 0.90 1.12 1.24 1.32 1.41 1.45

The RI value of the 1st and 2nd order judgment matrix is 0, and the matrix is always consistent. When n > 2, the consistency check can be checked with CR. CR =

CI RI

(5)

If CR ≤ 0.1, it is considered that the judgment matrix has satisfactory consistency; if CR > 0.1, it is necessary to compare and judge the indexes again and adjust the judgment matrix.

An AHP-Fuzzy Complex Evaluation Method for MCR HFE

129

Establish Evaluation Indexes Set U = ui (u1 , u2 , u3 , . . . , um )

(6)

U is the set formed by the evaluative indexes. ui (I = 1, 2,…, m) represents each evaluation index. For the whole evaluation process, the entire design evaluation can be expressed as U, and ui is each evaluation index in the criterion layer in Table 1. Create evaluation set. Evaluation set V mainly refers to the possible evaluation results given by the evaluator. In this paper, fuzzy subset of human factor design evaluation in control room is divided into five levels, defined as V = {v1, v2, v3, v4, v5}, namely {very good, good, relatively good, general, poor}. And set judgment criteria for the final evaluation results (Table 5). Table 5. Level evaluation standard Results Grade 100-80 Very good 80-60

Good

60-40

Relatively good

40-20

General

20-0

Poor

Determine Single Index Membership. Starting from one index in the evaluation indexes set, the evaluation object is evaluated to obtain an evaluation value matrix R: ⎛ ⎞ r11 · · · r1n ⎜ ⎟ (7) R = rij ⎝ ... . . . ... ⎠ rm1 · · · rmn

rij indicates the index, Ui is rated as the membership of Vj, and normalizes it. Due to the complexity of the evaluation indexes of the control room system, it is difficult to determine with a specific fuzzy distribution, so the expert evaluation method is used. Set n as the number of effective consultations, and yij as the number of times Ui is rated as Vj, then rij = yij/n. Complex Evaluation. The basic model of fuzzy complex evaluation is expressed as: B=A·R

(8)



Where “·” represents the composition operator; B = b1 , b2 , . . . , bn is a fuzzy subset on evaluation set V. Through calculation, the second-level fuzzy complex evaluation vector B of the human factor design evaluation in the control room can be obtained, and the weighted

130

Y. Gao and Y.-W. Ma

average method is used to process the fuzzy complex evaluation vector set to obtain the final fuzzy evaluation result. V =

5 

Bi Vi

(9)

i=1

By comparing the final result with the score of each evaluation grade, the HFE design quality is determined.

4 Case Study 4.1 Weight Determination Based on AHP Take the human factors design evaluation of the main control room in the preliminary design phase as an example. According to the survey results of the expert questionnaire, the results obtained through statistics and calculation are shown in Table 6. Table 6. The evaluation index system and weight factors Target layer

Criterion layer Index

Control room U1 MCR HFE design in layout the preliminary design phase

Scheme layer Weight Index

Weight

0.58

0.095

U11 Space for files, emergency equipment, etc.

U12 The monitoring and control equipment 0.34 in the control room should be accessible U13 Enough room for maintenance

0.144

U14 The personnel passage is unobstructed 0.273 and has sufficient passage space

U2 sit-down 0.31 console

U3 stand-up 0.11 console

U15 The functional division of the control room is clear and the layout is reasonable

0.148

U21 Operator visibility to the HSI

0.564

U22 Operator accessibility to control equipment

0.265

U23 Chair parameters

0.118

U24 Knee-tolerant space

0.055

U31 Operator visibility to the HSI

0.43

U32 Operator accessibility to control equipment

0.43

U33 Comfortable operation of conventional 0.14 equipment

An AHP-Fuzzy Complex Evaluation Method for MCR HFE

131

The judgment matrix and calculation results are as shown in the Tables 7, 8, 9 and 10. Table 7. The result of U1–U3 judgment matrix U1 U2 U3 2

5

λmax = 3.0037

U2 1/2 1

3

CI = 0.00185

U1 1

CR = 0.0036 < 0.1

U3 1/5 1/3 1

Table 8. The result of U11–U15 judgment matrix U11 U12 U13 U14 U15 U11 1

1/2

1/2

1/2

1/3

λmax = 5.251

U12 2

1

3

1

4

CI = 0.0625

U13 2

1/3

1

1/2

1

CR = 0.056 < 0.1

U14 2

1

2

1

2

U15 3

1/4

1

1/2

1

Table 9. The result of U21–U24 judgment matrix U21 U22 U23 U24 5

7

λmax = 4.12

U21 1

2

U22 1/2

1

3

5

CI = 0.039

U23 1/5

1/3

1

3

CR = 0.043 < 0.1

U24 1/7

1/5

1/3

1

Table 10. The result of U31–U33 judgment matrix U31 U32 U33 U31 1

1

3

λmax = 3

U32 1

1

3

CI = 0

U33 1/3

1/3

1

CR = 0 < 0.1

132

Y. Gao and Y.-W. Ma

It can be seen that the random consistency index of each judgment matrix is less than 0.1, which is consistent, and the data in Table 1 is acceptable. 4.2 Complex Evaluation According to the scores of all experts on different indexes, the evaluation matrix R is formed: The evaluation matrix of the evaluation factor “MCR Layout”: ⎞ ⎛ 0.4 0.2 0.2 0.2 0 ⎜ 0.7 0.2 0.1 0 0 ⎟ ⎟ ⎜ ⎟ ⎜ (10) R1 = ⎜ 0.5 0.2 0.1 0.1 0.1 ⎟ ⎟ ⎜ ⎝ 0.6 0.2 0.2 0 0 ⎠ 0.5 0.2 0.1 0 0.1 The evaluation matrix of the evaluation factor “Sit-down Console”: ⎛ ⎞ 0.6 0.1 0.2 0.1 0 ⎜ 0.7 0.1 0.1 0.1 0 ⎟ ⎟ R2 = ⎜ ⎝ 0.6 0.2 0.2 0 0 ⎠ 0.8 0.1 0.1 0

(11)

0

The evaluation matrix of the evaluation factor “Stand-up Console”: ⎛ ⎞ 0.5 0.2 0.2 0.1 0 R3 = ⎝ 0.7 0.2 0.1 0 0 ⎠ 0.6 0.2 0.2 0 0

(12)

The weight vectors A and R are multiplied to obtain the complex evaluation value set of each index, and all the single index complex evaluation value sets are used as the evaluation value matrix of human factor design evaluation in the preliminary design phase of the MCR, namely: ⎧ ⎫ ⎛ ⎞ 0.5858 0.2 0.091 0.0607 0.0292 ⎨ B1 ⎬ ⎠ R = B2 = ⎝ 0.6378 0.1118 0.1682 0.0829 0 (13) ⎩ ⎭ B3 0.6 0.2 0.157 0.043 0 Through calculation, the two-level fuzzy complex evaluation vector of the human factor design evaluation of the control room can be obtained:   B = AR = 0.6035 0.1727 0.1222 0.0656 0.0169 (14) Assign {90, 70, 50, 30, 10} to the evaluation set V, and use the weighted average method to obtain the final fuzzy evaluation result. V =

5 

Bi Vi = 74.651

(15)

i=1

Check with Table 5, the evaluation result of MCR HFE design in the preliminary design phase is “Good”.

An AHP-Fuzzy Complex Evaluation Method for MCR HFE

133

5 Conclusion Based on engineering design experiences and standards, this paper identifies the main evaluation system indexes of human factor design in the control room at different design phases, uses the analytic hierarchy process to determine the weight of each evaluation index, and quantifies the qualitative indexes through fuzzy complex evaluation. In this way, the overall evaluation of the human factor design quality of the control room is realized. Combined with human factor design verification, this method can make up for the influence of subjective factors on verification results. In addition, different elements can be extracted from the design evaluation index system identified in this paper for evaluation according to different design phases, which makes project engineers can start HFE design verification evaluation from the early stage of the control room design (such as before control room civil engineering or MCR console structure design). This method can effectively avoid the modification caused by non-compliance with HFE requirements, and lay a good foundation for the design quality, project progress and cost of the entire project. Moreover, this method can also be applied to the comparison and evaluation of different human factors design schemes in the process of the control room upgrading for in-service power plants or the control room design optimization of new power plant, which is helpful to select the best scheme from several schemes. It should be noted that the data analysis in this paper needs to be further refined. However, the results of the preliminary analysis show that this method is quite reasonable. Furthermore, this method can be further combined with the 3D design of the control room and VR technology to make the evaluation results more reasonable.

References 1. O’Hara, J., Higgins, J., Fleger, S., Pieringer, P.: Human Factors Engineering Program Review Model NUREG-0711 (rev. 3). US Nuclear Regulatory Commission, Washington, DC (2012) 2. Nuclear Power Plants-Main Control Room-Verification and Validation of Design (IEC61771). International Electrotechnical Commission, Geneva, Switzerland (1997) 3. O’Hara, J., Brown, W., Lewis, P., et al.: Human-System Interface Design Review Guidelines, NUREG-0700 (Rev.2) [R]. U.S. Nuclear Regulator y Commission, Washington, DC (2002) 4. O’Hara, J., Stubler, W., Higgins, J., Brown, W.: Integrated System Validation: Methodology and Review Criteria, NUREG-6393 [R]. US Nuclear Regulatory Commission, Washington, DC (1995) 5. Zhou, F.: Validation of Human Factor Engineering Integrated System. China Nuclear Power 6(2), 111–114 (2013) 6. Standardization Administration of China: The design of control room of nuclear power plant: GB/T13630, 12 [S] (2015) 7. The International Organization for Standardization. Ergonomic design of control centers: ISO 11064 [S] (2005) 8. Guo, J., Zhang, Z., Sun, Q.: Applications of AHP method in safety science. J. Saf. Sci. Technol. 4(2), 69–73 (2008)

Research on Control Strategy of Nuclear Island Ventilation Systems in Nuclear Power Plant Zhou Xiao1,2(B) , Heng Li1,2 , Li-Ming Zhang1,2 , Xin Du1,2 , and Hua-Qing Peng1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

China Nuclear Power Engineering Company Ltd., Shenzhen 518172, China [email protected] 2 I&C Department, China Nuclear Power Engineering Company Ltd., Shenzhen 518172, China

Abstract. This paper explains the overall control strategy of nuclear island ventilation system in CPR1000 NPP (Nuclear Power Plant), and expounds the current situation of nuclear island ventilation system. It analyzes the problems to be solved and challenges to be faced. Based on the market products, this paper puts forward the new control strategy and idea. It is necessary to develop nuclear safety-class electrical heater power regulation control cabinet used for local temperature regulation control, and local control cabinet based on simple hardware or an integrated safety-class electrical heater with self-control. The safety-class local power regulation control cabinet and on-off local control cabinet were developed successfully in this study, but there are not products on the safety-class integrated electrical heater with self-control in market, which shall be developed in the future. Then, propose a control logic architecture, and introduce the control logic design idea how to implement from the equipment level to the plant level. At present, in new construction NPPs, nuclear island ventilation systems have basically realized the “system level” control level and completely realized the “sub-function level” control according to this study. Subsequently, the “system-level” and “plant-level” relationship can be sorted out to further realize “plant-level” control. More intelligent ventilation and air conditioning algorithms may be also introduced to improve the overall control level of nuclear island ventilation system in NPP. Keywords: Nuclear Power Plant · Nuclear Island ventilation system · Control strategy

1 Introduction Nuclear Island ventilation systems in NPPs are auxiliary systems, and have two functions, (i) Maintaining ambient conditions in the plant unit buildings that enable personal access and normal equipment operation to be ensured. (ii) Monitoring and limiting controlled air releases under normal operation or accident conditions [1]. Compared with other industries and non-radioactive factory buildings, the nuclear island ventilation system has its own uniqueness and needs to meet the functions of Nuclear Power Plant’s radioactive tolerance and personnel residence [2]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 134–147, 2021. https://doi.org/10.1007/978-981-16-3456-7_15

Research on Control Strategy of Nuclear Island Ventilation Systems

135

The main control functions of nuclear island ventilation systems are shown in Fig. 1. Actuators and instruments of nuclear island ventilation systems are distributed to corresponding control platforms to implement control. Some equipment is controlled in Local control cabinet, and some is controlled in DCS (Digital Control System) control platform. The main control functions of nuclear island ventilation systems Air Supply/Exhaust Control Supply/Exhaust Fan control

Cooling water production control Air/water cooling unit control

Air supply temperature and humidity control Electrical Heater in air duct control

Regulation valve of cold water coil control

Humidifier control

Regulation dampers control

Fire/Smoke Exhaust Control Smoke Exhaust damper/ Smoke Exhaust Fan control Radioactive dynamic containment control Iodine filtration Heater (for dehumidification) control

Fire Damper control

Iodine filtration Fan control

Regulation control ˄electrical Heater˅

Cooling Local cooling unit control

Monitoring of Iodine filter column

Radioactive static containment control Containment border Isolation damper control

Room temperature control Heatering

Isolation damper of building boundary control

Controlled and monitored in DCS

On-Off control ˄electrical Heater˅ On-Off control ˄Local unit heater)

Controlled in Local control cabinets

Fig. 1. Main control functions of nuclear Island ventilation systems

There are lots of equipment controlled in non-safety classification local control cabinets in CPR1000 NPPs. The logical and analog control system in local control cabinets is configured with relay units according to the control requirements, or DDC (Direct Digital Control) controller or PLC Controller is configured to implement programming control [3]. The fault status of the local control cabinet is sent to DCS. Local control cabinet adopts standardized design according to different actuators and control targets, and is divided into five standard control modes, each mode corresponding to a standardized control cabinet, as shown in Table 1. During the design, it can also be matched according to different requirements. For example, if the two functional combinations of regulation controlling of cooling and start-stopping electrical heater need to be combined, it can be realized by combining Mode B and Mode D circuits into a cabinet. In recent years, the requirements of ventilation system design and equipment specifications have been gradually improved according to latest standards and designs. The safety classification principle of the Nuclear Island ventilation system of CPR1000 NPPs mainly followed RCC-P “Design and Construction Rules for the system design of 900 MWe Pressurized Water Reactor Nuclear Power Plant”, but follow to IAEA SSG-30 in new construction NPPs today; therefore, the classification of some local control cabinets shall be raised from non-safety classification to safety classification. How to give consideration to safety and construction cost will become a research topic.

136

Z. Xiao et al. Table 1. Standard control mode table for local control in CPR1000 NPPs

No. Standard mode Control function

Actuator

Classification

1

Mode A

Constant temperature and humidity regulation control

Electrical heater, Regulating water valve of cooling coil, Humidifier

NC+a /NC

2

Mode B

Cooling (regulation control)

Cooling coil water valve regulation control

NC+a /NC

3

Mode C

Heating (regulation control)

Electrical heater and power NC+a /NC regulator

4

Mode D

Heating (on-off control according to temperature)

Electrical heater

5

Mode E

Temperature regulation Electric Heater, Regulating NC+a /NC control (with air regulation water valve of cooling coil, dampers) air regulation dampers

NC+a /NC

Note a: compared with NC classification equipment, NC+ adds seismic or special environment requirements.

In order to facilitate central monitoring and management, the most of equipment is controlled by DCS. Operators can remotely control the equipment in main control room. The logical design of CPR1000 NPPs mainly implements the some “sub-functional levels” control, but not implement the “system levels” control. Nuclear island ventilation systems still have some equipment that operated be operator through the button one by one. So the control algorithm of nuclear island ventilation control system is simple and the level of automation is low in CPR1000 NPPs. With the development of the times and the automation technology, it is necessary to improve the level of control. This paper analyzes and explains the overall control strategy of nuclear island ventilation system in Nuclear Power Plant, and expounds the current situation of nuclear island ventilation system. It analyzes the problems to be solved and challenges to be faced during the implementation process. Finally, this paper puts forward a control strategy and reference idea of nuclear island ventilation system.

2 Analyses of Industry Development and Challenges 2.1 Safety Classification Requirements Changes and Challenges Safety classification in CPR1000 NPP is mainly determined according to RCC-P. China’s safety classification standards mainly refer to foreign standards and design concepts. As a widely used and instructive system, used in many countries, IAEA SSG-30 provides a complete set of procedures and methods for confirm the safety classification of items from safety functions. It is a set of methods based on determinism. probability theory is used as a supplementary method [4]. The whole method has strong logicality. As the third generation Nuclear Power Plant built in recent years, the French third generation European PWR (EPR) has determined its safety classification based on the European

Research on Control Strategy of Nuclear Island Ventilation Systems

137

Nuclear Power User Requirements Document (EUR). The safety classification method of EPR and the safety classification concept in EUR are similar to IAEA SSG-30. Analysis of IAEA SSG-30 standard analysis method and EPR case is helpful to identify the challenges to ventilation system caused by changes in safety classification requirements. IAEA SSG-30 defines 3 kinds safety categories, namely, Safety category 1, Safety category 2, and Safety category 3. The classification description is summarized in Table 2. Table 2. Relationship between functions credited in the analysis of postulated initiating events and safety categories [5] Functions credited in the safety assessment

Severity of the consequences if the function is not performed High

Medium

Low

Functions to reach a controlled state after anticipated operational occurrences

Safety category 1

Safety category 2

Safety category 3

Functions to reach a controlled state after design basis accidents

Safety category 1

Safety category 2

Safety category 3

Functions to reach and maintain a safe state

Safety category 2

Safety category 3

Safety category 3

Functions for the migration of consequences of design extension conditions

Safety category 2 or 3

Not categorizedb

Not categorizedb

Note b: Medium or low severity consequences are not expected to occur in the event of nonresponse of a dedicated function for the mitigation of design extension conditions.

Combined with the examples of CPR1000 and EPR, it is found that there are some similarities and many differences in safety classification between CPR1000 and EPR NPP. The differences are mainly reflected in design conditions, safety function classification, design and manufacturing specification classification of pressure-bearing mechanical equipment, and classification of equipment used to alleviate design expansion conditions. Difference in Design Conditions For CPR1000 and EPR NPP, operational condition analysis is an important input for safety classification, but there are great differences in working condition list range and safety analysis between CPR1000 and EPR NPP, which will inevitably lead to different classification results [6]. Operational Condition List: EPR NPP is more comprehensive than CPR1000 NPP in considering operational conditions, and also considers accident conditions, severe accident under shutdown [6].

138

Z. Xiao et al.

Safety Analysis: CPR1000 NPP only analyzes a controllable and stable state, but does not analyze a state that can stably dissipate nuclear core heat for a long time. EPR NPP analyzed the safe shutdown state of sustainable heat dissipation [6]. Difference in Safety Function Classification The safety function classification of CPR1000 NPP can be directly determined according to the definition of RCC-P. EPR NPP put forward the concept of safety function classification, and determine safety function classification as foundation to determine the item classification, making EPR NPP’s safety function classification method more logical. Safety Function classification follows the design requirements of EUR and is divided into F1A, F1B and F2 functions. The actual system or part of the system is a combination of mechanical and electrical components used to perform at least one function. For a system or equipment, multiple functions are likely to be performed. Therefore, the actual system classification in the project is to determine which classification each part of the system and equipment is [7]. Judging from the development rules and changes from CPR1000 to EPR NPP, the safety classification method is gradually refined, more comprehensive accident evaluation under all operational conditions, and more detailed safety classification method guides system design. Different safety classification methods lead to determine different safety classification, as shown in Table 3. Combined with Table 3, it can be seen that changes in safety classification and NPP’s system design have led to higher classification of air supply temperature control and room temperature control. It will mainly affect: (i) Level 1 control cabinet requirements to be raised to safety category 2, and the equipment shall follow the corresponding software and hardware design specifications. Combined with the current product situation, it will affect the current control strategy. (ii) Level 0 actuators and instruments shall meet the relevant safety classification requirements. 2.2 Automatic and Control Level Requirement Change and Challenge The automatic and control level of CPR1000 NPP ventilation system is at the control level of some “sub-functional levels”. Due to reduce the burden of operators, and operator have more energy to operate other important equipment and handle more important events, a higher level of automation in the new generation NPP shall be required. Therefore, new requirements are put forward for the control design of nuclear island ventilation system, and it is expected that at least part of the “system level” control level can be realized and the “sub-function level” control can be fully realized. See Fig. 2.

Cooling water Air/water cooling production control unit

Fire/Smoke exhaust control

2

3

Monitoring and control mode

On-off control

Start-stop control

Fire damper

Smoke Exhaust damper/Smoke Exhaust fan

Start-stop and regulation control

Supply/Exhaust fan Start-stop control

Air Supply/Exhaust control

1

Actuator

Functions

No.

DCS

DCS

Local control unit + DCS

DCS

Control platform

NC

NC+

1E/SR/NC

1E/SR/NC

Safety classification CPR1000

3/NC

2/3

1/2/3/NC

1/2/3/NC

Safety classification (IAEA SSG-30)

Table 3. Comparison table of safety classification of ventilation system equipment

(continued)

Some equipment are upgraded to Safety category 3

The classification of equipment is determined according to different start-stop functions, and some fire dampers perform Safety category2 function [8]

None

None

Difference of safety classification Research on Control Strategy of Nuclear Island Ventilation Systems 139

Functions

Radioactive dynamic containment control

Radioactive static containment control

Air supply temperature and humidity control

No.

4

5

6

Start-stop control

Iodine filtration Fan

Local control cabinet

DCS

Isolation damper of On-off control building boundary

Electrical Heater in Start-stop control air duct

DCS

None

DCS

DCS

Control platform

On-off control

Containment border Isolation damper

Iodine filter column On-site differential pressure monitoring (for inspection and maintenance, filter replacement)

Start-stop control

Monitoring and control mode

Iodine filtration heater (for dehumidification)

Actuator

Table 3. (continued)

NC+/NC

SR/NC+

1E

NC+

SR

SR

Safety classification CPR1000

2/NC

2/3

1

3

2

2

Safety classification (IAEA SSG-30)

(continued)

The classification requirements of some equipment have been improved

None

None

None

None

None

Difference of safety classification

140 Z. Xiao et al.

Room temperature Local electrical control Heater

7 Start-stop control Start-stop control

Local unit heater (with fan)

Local cooling unit

Power regulation

Start-stop control

DCS

DCS

Local control cabinet

Local control cabinet

Humidifier

Start-stop and regulation control

Local control cabinet

Regulation damper Regulation control

Control platform

Local control cabinet

Power regulation control

Monitoring and control mode

Regulation valve of Regulation control cold water coil

Actuator

Functions

No.

Table 3. (continued)

1E/SR/NC

NC+/NC

NC+/NC

NC+/NC

NC+/NC

NC+/NC

NC+/NC

NC+/NC

Safety classification CPR1000

1/2/3/NC

2/NC

2/NC

2/NC

3/NC

2/NC

2/NC

2/NC

Safety classification (IAEA SSG-30)

None

The classification requirements of some equipment have been improved

None

Difference of safety classification Research on Control Strategy of Nuclear Island Ventilation Systems 141

142

Z. Xiao et al. Automatic Level High

Low

Plant/Factory Level

Plant/Factory Level Manual operation

Plant/Factory Level Automatic control

System Level

System Level manual operation （Group Operation）

System Level Automatic control

SubFunctional level

Sub-Functional Level manual operation （Group Operation）

Sub-Functional Level Automatic control

Equipment level

Manual operation one by one

Automatic linkage and protection of One equipment

Manual

Auto

Current automatic level

Fig. 2. Desired automatic and control level

3 Control Strategy and Development Ideas of Nuclear Island Ventilation Systems Based on challenges faced by nuclear island ventilation system, the following solutions or ideas are put forward for reference. 3.1 Control Strategy Face to the Challenge of Safety Classification The safety classification of air supply temperature and humidity regulation control and room temperature control is improved to category 2 has great influence on the control strategy. At present, there are few safety classification controllers with mature application experience, mainly DCS products or some customized control components. Therefore, the control strategy is proposed for the following two conditions. Regulation Control The actuators and instruments of Level 0 select safety-level equipment. Combined with the current market situation, an optimization scheme type 1 is proposed for the equipment upgraded to safety-level, as shown in Fig. 3. (i)

The regulating water valves/air dampers are changed from intelligent type to non-intelligent type, and the safety-class electric regulation valves/air dampers are selected, and the valves/dampers needs to be controlled by the safety-class switchgear. (ii) Safety-class local power control cabinet needs to be developed. The cabinet mainly includes power regulators. At present, there are few power regulators that have

Research on Control Strategy of Nuclear Island Ventilation Systems

143

passed safety-class certification on the market and need to be customized for development. (iii) The control and regulation control of electrical heater and valves are implemented by safety-class DCS. It solves the selection problem of safety-class local control cabinet, and operators in MCR (Main Control Room) can obtain more information and monitor remotely more equipment.

Fig. 3. Type 1 control strategy diagram

On-Off Control For the safety classification of some on-off control electrical Heaters are improved, two design control strategies are proposed for reference for this part of equipment, as shown in Fig. 4. Type 2a: Design and manufacture safety-class control cabinet based on simple Hardware or safety-class relay unit to implement control. Heater and local control cabinet belong to independent and different equipment. Type 2b: Develop and manufacture safety-class integrated electrical heater with temperature switcher and control circuit. type 4b may be cheaper than type 4a, but there are

144

Z. Xiao et al.

not safety-class products on the market at present, which can be developed according to the actual needs of the project.

Fig. 4. Type 2a and type 2b local control strategy diagram

3.2 Ideas for Improving the Automation Level According to the operation and maintenance requirements of NPP, the automation level of the NPP will be improved. The “system level” control level will be realized, and the “sub-function level” control will be fully realized. The following methods can be adopted to improve the control level. See Fig. 5 for the control block diagram. (i)

Sorting out the equipment-level control logic to form their own component control Logic. (ii) Sorting out the sub-function control requirements, then forming each sub-function control logic and forming a sub-function group control algorithm. The control algorithm of the sub-function is connected to the corresponding equipment-level control logic. (iii) Sorting out the relationship between each sub-function and system operation, and designing system-level logic based on operating conditions. (iv) According to the functions performed by each system in plant and the operation requirements of plant, group or sequential control logic of the plant/factory level is designed and connected to group control of the system level to control each system.

4 Implementation Results Facing the problem of upgrading the safety of the local control cabinet, we newly developed safety-class local power control cabinet (Regulation Power) for type 1 control Strategy. See Fig. 6. This control cabinet can supply power to the heater and adjust the power supply, and can receive external 4–20 mA regulation commands and output the

Research on Control Strategy of Nuclear Island Ventilation Systems

145

Fig. 5. System-level and plant-level automation control block diagram

fault status of control cabinet. This control cabinet has passed the safety-class equipment qualification tests and meets the K3 equipment qualification requirements of RCC-E. In order to implement the type 2 control strategy, a nuclear-level local control cabinet that meets the type 2a control strategy was newly developed, has passed K3 qualification tests, and adopts a relay circuit to achieve on/off control. The above two types of equipment have been promoted in new construction nuclear power plants. See Fig. 7. The type 2b solution is more integrated than type 2a. If implemented, the number of equipment will be further reduced, but safety-class electric heaters with controllers need to be further developed, which is currently not implemented in the project.

Fig. 6. Diagram of type 1 local power control cabinet

In the new construction nuclear power plant, the system-level and sub-function level group control of the nuclear island ventilation system are designed. The example is shown in Fig. 8. The operator can realize the system-level and sub-functional level control through the group buttons, and realize equipment-level equipment individual or group management through the group mode button. After adopting the method of improving the automation level, the operator’s operation and control level is ultimately greatly improved.

146

Z. Xiao et al.

Fig. 7. Diagram of type 2a local control cabinet

Fig. 8. The example of system group control

5 Conclusion This paper expounds the current design of nuclear island ventilation system. The safety and automation level of ventilation system have higher requirements with the development of the industry. and new requirements and challenges are faced. Facing the challenges of safety classification enhancement, it is necessary to develop nuclear safety-class electrical heater power regulation control cabinet used for local temperature regulation control, and local control cabinet based on simple hardware or an integrated safety-class electrical heater with self-control. The safety-class local control cabinet of type 1 and type 2a were developed successfully in this study and used in new construction NPPs, but there are not safety-class products of type 2b in market, which can be developed in the future. The products of type 2b can be widely applied to northern NPP, which may reduce the project implementation cost. Facing the challenges of automation level improvement, propose a control logic architecture, and introduce the control logic design idea how to implement from the equipment level to the plant level. At present, in the new construction NPPs, nuclear island ventilation systems have basically realized the “system level” control level and

Research on Control Strategy of Nuclear Island Ventilation Systems

147

completely realized the “sub-function level” control according to this study. Subsequently, the “system-level” and “plant-level” relationship can be sorted out to further realize “plant-level” control. More intelligent ventilation and air conditioning algorithms may be also introduced to improve the overall control level of nuclear island ventilation system in NPP.

References 1. RCC-P, Design and Construction Rules for System Design of PWR Nuclear Power Plants, EDF and FRAMATOME (2000) 2. Tian, H.-J., Bin, H.: Containment and ventilation systems for nuclear power plants. Chin. J. Nucl. Sci. Eng. 30(S1), 296–301 (2010) 3. Dai, J.: Research on application and commissioning technology of DDC technology in ventilation and air conditioning system of nuclear power plant. DAYA BAY Nucl. Power 3, 63–68 (2014) 4. Tian, L., Fu, Z.-W.: Analysis on the development direction and trend of classification in nuclear power plant. He Biaozhun Jiliang Yu Zhiliang (3), 13–17 (2015) 5. IAEA SSG-30, Safety classification of structures, systems, and components in nuclear power plant, IAEA (2014) 6. Shang, C.-Z., Wei, Y.-Y., Wang, Y.-H.: Comparative analysis of nuclear power plant safety classification between CPR1000 and EPR nuclear power plant. DAYA BAY Nucl. Power 3, 37–41 (2016) 7. Si, H.-Y.: The introduction of safety classification in EPR nuclear power plant nuclear safety. He Biaozhun Jiliang Yu Zhiliang 1, 7–16 (2013) 8. Si, H.-Y., Shang, C.-Z., Li, X.-Z.: Classification for safety classified fire damper in EPR power plant. Nucl. Saf. 3, 66–69 (2012)

The Safety Function Design Improvement of Circulation Water Filter System in CPR1000 Unit Lei Jiang and Hui Wang(B) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. Circulation water filter system (CFI) is a very important supporting system in nuclear power station, all the nuclear power station at home locates at the seaside so as to ensure sufficient cooling water supply. The system design of CFI in different unclear power station at home almost adopts the technology of M310 unit introduced from France. This document introduces and analyses the design discrepancy with CFI system functional requirements, and finally give the improvement solution in the third generation of nuclear power station. Keywords: Nuclear power plant · Filter · Safety function · Classification · Logic

1 Introduction Nuclear power station normally locates at the seaside, CFI system is a very important supporting system in power station. The failure of CFI system will probably cause the loss of partial or total cooling water, consequently the unit will have to execute load shedding procedure, or even the operators have to shut down the reactor in some extreme case [5]. Similar events due to the failure of CFI system takes place no more than one time in nuclear power plant both at home and abroad, the failure of CFI system will directly influence the safety, economy and reliability performance of the nuclear power plant operation. Both the operation department and designer of nuclear power plant pay more attention to the reliability of CFI system. Many different measures are taken to cope with the possible event in circulation water filter system, such as: the early warn and marine fishing before the explosion of sea creature, the vibration monitoring and evaluation to the filter gearbox, to enlarge the electric power of filter motor, to add the manual approach to start the low speed motor etc., so as to reduce the risk of CFI failure as much as possible. 1.1 The Flow Diagram of CFI System in CPR1000 Circulation water filter system is always configured in the seashore nuclear power station. It aims to prevent the entry of sea creature or floating object. A combined pump building © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 148–156, 2021. https://doi.org/10.1007/978-981-16-3456-7_16

The Safety Function Design Improvement of CFI

149

is located near the water intake. Refers to the Fig. 1, the sea water in train A are distributed to circulation system (CRF), essential server water system (SEC) and some other user after filtering by circulation water filter system (CFI) [3].

Fig. 1. CFI flow diagram

1.2 The Main Equipment of CFI System in CPR1000 The core equipment of circulation water filter system is a filter device which is driven by a set of motors [6]. The filter device is drum-shaped structures, screen strainers are installed along peripheral direction, for details, refer to the Fig. 2. The rotating filter device can stop the entry of floating material in the seawater. In order to reach the reliability target, two redundant low speed motors (L.S), one middle speed motor (M.S) and one high speed motor (H.S) are configured to drive the filter. Only one of the motors can be switched into operation at one time according to the logic calculation result. 1.3 The Operation Process of CFI System in CPR1000 CFI system is always put in manual mode at the first operation after every system overhaul. The operator should start the M.S motor manually to verify if the whole system could be put into use. If the test result is all right, the operator will stop the M.S motor and put the system in auto mode, and then the CFI system will be controlled automatically and operated in prorate speed. When the level gap before and after the filter is lower than H1 set point, the filter device is driven by the main low speed motor and rotates at the low speed. As the level gap goes up, the filter will gradually switch to middle speed operation or even high speed operation mode according to the level gap. When the level gap returns to normal value, the filter will operate in the low speed. The detail control diagram is as Fig. 3.

150

L. Jiang and H. Wang

Fig. 2. Filter structure

1.4 The Function Analysis of CFI System in CPR1000 The basic function of CFI is to supply clean cooling water for unit in normal or accident condition. During normal operation of unit, the function of CFI is to execute preliminary filtering, to provide sea water as raw material needed by chlorination station, to provide cooling water for the second loop. These functions above belong to non-safety function. Component cooling system (RRI) is a middle loop between nuclear island equipment and essential service water system (SEC), CFI system supply SEC with cooling water to ensure the safety function implementation of essential equipment in nuclear island [4]. During the normal power operation, many essential equipment in the primary loop needs to be cooled down by RRI system, for example, the air condition cooling unit which is used to maintain the ventilation of main control room, the heat exchange of the letdown of primary loop coolant, the sealing of coolant pump etc., No matter it is in the overhaul of unit or in severe accident or even the life cycle of unit, the decay heat from the reactor and primary loop is always to be transferred to sea water. The function above executed by CFI is very important safety related function. 1.5 The Safety Classification of CFI in CPR1000 The classification method of a construction, system and component mainly bases on determination, plus probability and statistics, and also engineering judgment [1]. Besides, the following factors also should be taken into accounted: the safety function executed by the component, the consequence of function failure, the possibility of usage by certain safety function, the time and the duration which a component put into operation in case of a postulated initial event. Meanwhile, the auxiliary equipment has to be regarded as one part of safety system and classified correspondingly when it is used as support system. The classification of CFI system is as Table 1 according to RCC-P, Design and Construction Rules for System Design of PWR Nuclear Power Plants [2].

The Safety Function Design Improvement of CFI

Fig. 3. CFI control diagram

151

152

L. Jiang and H. Wang Table 1. The classification of CFI system

Component

Functional classification

Function description

Component classification

Level transducer before and after the filter

Safety related

Permit start L.S motor at low level gap

1E

NC

Switch to M.S motor at high level gap

NC

Switch to H.S motor at high 2 level gap

NC

Alarm and trip CRF pump at high 3 level gap

L.S motor switch gear

Safety related

Ensure the water supply to SEC in abnormal condition

1E

M.S motor switch gear

NC

Drive the filter in high level gap

NC

H.S motor switch gear

NC

Drive the filter in high high level gap

NC

2 The CFI Safety Function Design Defect in CPR1000 2.1 Design Concept Defect According to the design concept of CPR1000, when the filter is in static state, there is no way to guarantee enough water supplies to SEC only depending on the water leakage through the filter. Therefore, the filter device should keep running in any condition. In another words, as long as the filter device is running, the possibility of loss water supply to SEC will not take place or doesn’t exist. However, the operation records from different nuclear power stations approve the assumption above is not correct. The frequent unit load shedding caused by the loss of CFI is good evidence. The flow capacity of the filter device cannot meet design requirement, even if the filter device keeps running. 2.2 Function Classification Defect Circulating water system (CRF) is the major consumer of sea water supply, more than 95% of water goes to the second loop of conventional island, and only about 5% goes to SEC system. When the level gap reaches high 3 set point, CRF pump will be switched off, so as to ensure the water supply to SEC.

The Safety Function Design Improvement of CFI

153

In CPR1000 unit, the switchgear of CRF is NC classified. This means the function of tripping CRF pumping at high 3 level is also NC classified. Unqualified switchgear may lose control because of equipment failure, in this case the CRF pump cannot stop as required, and the intake sea water will be used up by CRF pump quickly, the final result will be the heat sink loss of the unit. From the safety analysis point view, it is not acceptable. 2.3 Logic Function Design Defect According to the control logic design of the filter at present, under AUTO control mode, when the level gap reaches high set point, the low speed motor will stop, at the same time, including the spare low speed motor, the start condition of the low speed motor is inhibited. In another words, the low speed motor that undertakes safety function cannot keep running, the function of sea water supply to SEC is turn to non-safety motor (M.S or H.S motor), the safety function is degraded in this case. 2.4 Logic Design Defect The software logic which executes the lower safety function cannot prevent the implementation of the logic which executes the higher safety function. Considering the amount of signal exchanges between the four motors, all control logic are put into the safety control platform (DCS), one major condition to start L.S motor is to check the feed-back signal of M.S/H.S. Because the L.S/M.S electrical switchgear are unqualified equipment, a virtual running feed-back signal sent from the NC classified electrical switchgear is possible. In this case, safety function will be disturbed by NC classified equipment. The signal logic design between safety equipment and NC classified equipment is also a defect in CPR1000 unit.

3 The Design Improvement of CFI in the Third Generation Unit 3.1 The Design Concept Improvement In CPR1000, the running of low speed motor is thought to be the guarantee of safety function. According to the analysis in Sect. 2.1, it cannot ensure the implementation of safety function. In the third generation nuclear power station, system designer realize this defect. Since the CRF mump is the main consumer of sea water, to trip the CRF pump at high 3 level gap could ensure the water supply to SEC. The real safety routing is to trip the running of CRF pump at high 3 level gap instead of ensuring the running of low speed motor.

154

L. Jiang and H. Wang

3.2 Function Classification Improvement In CPR1000 unit, the switchgear of CRF is NC classified. The trip function of CRF pump at high 3 level gap is also NC classified. In the third generation nuclear power station, the trip function to CRF pump at high 3 level has been changed to safety classified. The CRF pump switchgear equipment or component has been replaced by K3 qualification equipment, besides the layout of switchgear of CRF pump should also meet the physical isolation requirement. 3.3 Manual Logic Design Improvement Because the filter is only allowed to be driven by one of the four motors, complicated interlock logic exists between the two safeties classified L.S motors (including the spare motor) and NC classified M.S/H.S motor. The start logic of low speed motor at present in CPR1000 is inhibited by high level gap and operation feedback signal of M.S and H.S motor, however the M.S and H.S motor is NC classified, the interlock logic design cannot meet the requirement of the IEC61513 standard. As a matter of fact, there is no way to ensure a safety signal routing to start the low speed motor. So how to make sure the low speed motor could be started without being influenced by NC classified signal become the key issue. Since the auto logic cannot deal with this safety requirement, plus the level gap change is a slow process, adding a manual control button in MCR could solve this problem easily, the operator has enough time to start the low speed motor as required. After modification, the auto start logic of low speed motor doesn’t undertake safety function anymore (Figs. 4 and 5).

Fig. 4. L.S motor control logic before modification

The Safety Function Design Improvement of CFI

155

Fig. 5. L.S motor control logic after modification

Before modification, the low speed motor operates automatically according to permit condition. When level gap reaches high, the operation of low speed motor is inhibited. After modification, the operator could intervene and enforce the operation of low speed motor in any case, so as to ensure the safety function of water supply to SEC. Because the auto start logic of low speed motor doesn’t need to undertake safety function, the problem of “the software logic which executes the lower safety function cannot prevent the implementation of the logic which executes the higher safety function” doesn’t exist anymore.

4 Results Designer has gradually realized the design concept defect existed in CFI system. During the course of the CFI design in third generation nuclear power station at home, the switchgear of CRF pump has been replaced by safety classified switchgear. This improvement avoids the potential loss of CFI system caused by unqualified switchgear failure. The manual logic design improvement could further reduce the probability of the heat sink loss and improve the unit safety.

5 Conclusion The design of CFI in CPR1000 unit follows the concept of M310 nuclear power plant unit in France. This document introduces and analyses the defect which exists in CPR1000 unit at home, and put forward the corresponding solution so as to reduce the possible risk of heat sink loss.

156

L. Jiang and H. Wang

References 1. HAF 102: Provisions on Design Safety of Nuclear Power Plants, pp. 25–26, China Legal Publishing House (2016) 2. RCC-P: Design and Construction Rules for System Design of PWR Nuclear Power Plants, EDF and FRAMATOME (1998) 3. 900MW PWR Nuclear Power Plant System and Equipment, 1st edn. Atomic Energy Press, Beijing 4. PWR Nuclear Island Design: 8th Vol, 1st edn. Atomic energy press, Beijing (2010) 5. Li, Y.N., Wang, Q.: Electric control system for circulating water filtration system in nuclear power plant. Hydropower New Energy 004, 72–76 (2017) 6. Liu, P., Li, Y.: Nuclear power station circulation water filter system installation and control. Chin. J. Petroleum Chem. Stands Quality 31(6), 293–293 (2011)

A Study About Unit Testing for Embedded Software of Control System in Nuclear Power Plant Wang Xi(B) , Wei Liu, Tao Bai, and Ji Shi State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company LTD, Shenzhen 518045, Guangdong, China

Abstract. As the nerve center of nuclear power plant, the control system ensures the safety and economy of power plant operation, and its software test is very important. With the development of digital nuclear power and the wide application of embedded system software in the world, more and more embedded software has been applied to the control system and intelligent equipment of nuclear power plant. This paper analyzes the characteristics of embedded system software of control system in nuclear power plant and the difference between embedded system software and general application software from the perspective of test, and the impact on test. It puts forward a unit test method of embedded software, which realizes the separation of application software and underlying hardware by means of software structure analysis, program piling, syntax modification, hardware simulation, etc. in nuclear power plant based on ARM architecture. The successful application of V&V project unit test of plant control system software provides reference for unit test of embedded and similar hybrid programming software. Keywords: Nuclear power plant · Control system · Embedded software · Unit test · V&V

1 Introduction Industrial control system is widely used in the industrial field to control the operation of production equipment [1]. Different from the general system, the industrial control system affects the whole production process, and its software errors may lead to serious hidden dangers of industrial safety and economy. Nuclear power plant is an important industrial production organization, and its operation safety problems may cause disastrous consequences to the social environment. With the development of digital nuclear power, digital instrument and control system (DCS), as the nerve center of nuclear power plant, is an important interface between personnel monitoring and operation equipment, which determines the safety and economy of nuclear power plant operation [2]. Software V&V is an important way to ensure the quality of software, and plays an important role in the digital process of nuclear power plant [3]. Unit test is an important work in the software V&V implementation stage, and it is also the only stage to directly test © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 157–163, 2021. https://doi.org/10.1007/978-981-16-3456-7_17

158

W. Xi et al.

the black box and white box of software code, which plays a key role in verifying the correctness of code implementation. At present, with the development of industrial control software, more and more embedded software has been used in DCS and intelligent equipment of nuclear power plant, and more and more embedded software has become the test object of system software of nuclear power plant [4]. Because of the mixed programming characteristics of embedded software hardware, the software architecture has certain complexity. The programming mode depends on the compiler, and the combination mode with hardware also depends on the choice of embedded chip and architecture. Compared with the program only developed at the software level, embedded software unit testing cannot be carried out by traditional methods. Therefore, under the limited test conditions, a method is needed to shield the complexity and diversity of embedded software. A test method for embedded software of nuclear power plant control system plays an important role in improving test efficiency and software quality.

2 Related Works 2.1 Embedded Software Testing Features The structure of embedded system includes hardware layer, middle layer, system software layer and application software layer of embedded computer system [5]. The embedded system structure is shown in Fig. 1.

Application Software Layer

System Software Layer

Middleware Layer

Computer Hardware Layer

Application Software

OS

BSP/HAL

Embedded microprocessor Memory General I/O

Fig. 1. The embedded system structure

The hardware layer of computer system includes embedded microprocessor, memory, general I/O, etc. Among them, embedded microprocessor is the core of the hardware layer of computer system. At present, the commonly used embedded microprocessors include ARM, MIPS, PowerPC, DSP, etc. The middle layer is located between the hardware layer and the software layer, including hardware abstract layer (HAL) or board support package (BSP). The system software layer mainly includes operating system, file system, graphic user interface, etc. [5]. The application software layer is used to

A Study About Unit Testing for Embedded Software

159

realize the control function of the controlled object, which is composed of the developed application program. Different embedded microprocessors generally use different compilers, which makes the compiler have the problems of diversity and complexity. General test tools do not necessarily support all compilers, or they need to be customized. In the development process of different embedded microprocessors based on different compilation principles, programming specifications, preprocessing process, data type rules and other aspects will be different [6]. 2.2 Unit Test of Embedded Software Unit test is an important step to verify whether the functional units and modules of software are implemented correctly. The object of unit test is the program module which can be compiled or assembled independently [7]. The function and structure test of the program module should be carried out [8]. In the test process, the boundary and scope of the module should be defined first, so as to define the test content. Generally, the application layer software of embedded system is programmed on the basis of processor by system software, or the underlying hardware is operated by invoking middleware. Application software cannot run alone, it needs to run together with system software, middleware and microprocessor. Microprocessor software is generally provided by the manufacturer of embedded microprocessor, which completes the function of processor hardware. Therefore, there will be a mixture of application software, system software or middleware and underlying hardware. The unit test of general software is aimed at the application software part. To add the bottom hardware part, on the one hand, complex simulation environment is required due to different processors; on the other hand, middleware and hardware level procedures will be involved in the test, which cannot well define the module boundary, and will cause additional workload. Therefore, in order to test the embedded software unit clearly, it is necessary to separate the application software so that it can complete the test in the general test environment.

3 Embedded Software Unit Test Method Based on Program Piling 3.1 Software Structure Analysis First of all, it is necessary to analyze the structure of the target software. The part developed to achieve specific control functions is called application software, and the part developed by the manufacturer to provide general functions on the microprocessor is called pre development software. Application software and pre development software are linked by middleware program. Therefore, the work of software structure analysis is to define the application software part and pre development software part of all functional modules, and to define all interfaces of unit boundary completely and clearly, and to complete the data flow analysis of input and output. This part of the work is shown in Fig. 2.

160

W. Xi et al. Other software unit Data flow Software unit

Data flow

OS Data flow

BSP/HAL Data flow Computer Hardware Layer

Fig. 2. Software structure analysis

3.2 Program Piling After the completion of software structure analysis, the boundary of the unit shall be separated. First, the original connection with BSP or HAL shall be disconnected, and then the fracture shall be inserted. That is to say, the data flow originally from the pre development software shall be simulated. Generally, according to the characteristics of the data flow, the input data parameter flow shall be set as a variable, so that it can be changed in the test. During the test, modify the value of the parameter to be changed, and set the parameter not to be changed to a fixed value. The program piling is shown in Fig. 3 parameter A and B. 3.3 Syntax Modification After the program is inserted, the syntax should be modified. The programming specification adopted by the target unit may be different from that of the compiler simulator in the test environment, so it is necessary to modify some syntax (such as embedded, assembly feature syntax) to make it conform to the writing method recognized by the compiler in the normal test environment (such as standard C compiler). 3.4 Hardware Simulation In the test process, it may encounter more complex external data flow, such as periodic change data flow generated by hardware. The software function is to judge according to the change data flow. In this case, you need to write a driver to simulate the underlying hardware. This part of the program simulates the data flow of the hardware, and the target program calls to get the data. The hardware process is shown in Fig. 3 programmer C.

A Study About Unit Testing for Embedded Software

161

Other software unit Data flow Output

Parameter B Input

Software unit Input Parameter A

Input Programmer C

output

Data flow BSP/HAL Fig. 3. Hardware simulation

4 Engineering Practice This paper takes the software control unit test of an embedded system control software V & V project in a nuclear power plant as an example to apply the method described in this paper. The unit includes collecting physical parameters, judging the start-up of solenoid valve according to temperature, judging whether there is error according to the amplitude and phase of three-phase alternating current. This software uses the mixed programming mode that the application software calls the underlying hardware through the middleware program. It can’t be compiled under the standard C or ARM compiler, so it needs to modify the target unit through operation. 4.1 Software Analysis The tested control unit use ARM (Advanced RISC Machines) architecture, and the software architecture is shown in Fig. 4. The application software is connected with the underlying hardware through middleware. Boundary data flow includes physical parameter input (temperature, pressure, etc.), control signal input by other units (panel operation, external switch, etc.), periodic change data flow (three-phase AC input). 4.2 Software Separation 1) Program piling As shown in Fig. 5, according to data flow analysis, the external input data flow is disconnected, including physical parameter input, external control signal, periodic change data flow, etc. at the disconnection, these input parameters are set as test variables. At the same time, set the variable to obtain the output of the control unit. 2) Hardware Simulation The hardware simulation process is shown in Fig. 5. Since the three-phase alternating current is originally the external periodic variation collected by the hardware, additional programs are needed to simulate the hardware. In the project,

162

W. Xi et al. Other software unit Control Signal

MVStart Current error

PressureCollect() TemperatureCompare() Current() MVStrart()

Control Software Unit

Data flow BSP/HAL

bsp.c Data flow Pressure Temperature Three phase alternating current

Computer Hardware Layer

Fig. 4. Software analysis. Control Signal

Function_CurrentGeneration() Pressure

Temperature

Control Software Unit

Data flow

bsp.c

MVStart Current error

Control Signal Output Other software unit

Fig. 5. Software separation

Function_CurrentGeneration() is programmed to generate three-phase AC, and then the control unit module calls the function to obtain the periodic change value of three-phase AC program. 4.3 Unit Test After the above two steps, the embedded software program has been successfully separated from the mixed programming and become a program module that can be independently compiled by the standard C compiler. In the test, the pressure and temperature variables are modified to different values to simulate the pressure and temperature values collected by the hardware, and test and judge the function of temperature start solenoid valve. Set the panel operation, external switch and other signals to constant 0 or 1 according to the needs of the test scenario to simulate opening and closing. By modifying the parameters in the Function_CurrentGeneration() function, the phase and amplitude of three-phase AC are modified to simulate the abnormal situation of three-phase AC input. The test of control function of application software is realized successfully.

A Study About Unit Testing for Embedded Software

163

5 Conclusions Based on the research of embedded software architecture and programming principle, a method of embedded software unit test for control system of nuclear power plant is formed. This method effectively solves the problems brought by the characteristics of embedded software architecture complexity, combination of software and hardware, mixed programming and so on in unit test, and shields the problems of compiler diversification caused by different cores of embedded software. In the V & V project of nuclear power plant engineering software, it has been effectively implemented and formed a good practice, which provides a reference for the test scheme of embedded software of nuclear power plant control system.

References 1. Wei, K.-C., Li, B., et al.: Research on the planning of information security protection for industrial control system. Process Autom. Instrum. 36(02), 49–52 (2015) 2. Xi, W., Gu, P.-F., Liu, W.: Discussions on information security test strategy for digital industrial control system in nuclear power plant. In: Xu, Y., Sun, Y., Liu, Y., Wang, Y., Gu, P., Liu, Z. (eds.) SICPNPP 2019. LNEE, vol. 595, pp. 83–89. Springer, Singapore (2020). https://doi.org/ 10.1007/978-981-15-1876-8_9 3. Xi, W., Gu, P.-F., Liu, W., Chen, W.-H.: A study and application about software V&V requirement management scheme in digital RPS. In: Xu, Y., Gao, F., Chen, W., Liu, Z., Gu, P. (eds.) SICPNPP 2017. LNEE, vol. 455, pp. 13–20. Springer, Singapore (2018). https://doi.org/10. 1007/978-981-10-7416-5_2 4. Xi, W., Gu, P.-F., Bai, T., et al.: A study about software-implemented fault injection strategy for digital RPS in nuclear power plant. In: 2017 25th International Conference on Nuclear Engineering. American Society of Mechanical Engineers Digital Collection (2017) 5. Zhao, Y., Pan, X.-Q.: Embed System Conspectus. China Minzu University Press (2011) 6. Huang, Z.-W., Deng, Y.-M.: ARM9 Basic Course of Embedded System Design. Beijing University of Aeronautics and Astronautics Press (2008) 7. China Standardization Management Committee: GB/T 15532: Computer software test specification. Diss. (2008) 8. Zhang, H.-F., Mou, Y.-M.: Introduction to Software Engineering. Tsinghua University Press (2013)

Design of Defence in Depth for I&C System in Pressurized Water Reactor Nuclear Power Plant Tao Fu(B) , Gong-Jie Li, and Li-Ming Zhang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. The design of Instrumentation and Control (I&C) system in nuclear power plan needs to consider the problems of Common Cause Failure (CCF) and independence of itself in addition to meeting the overall Defence in Depth (DiD) target of the plant and ensuring the correct and reliable implementation of monitoring, control and protection functions under various operation conditions. The requirements of International Atomic Energy Agency (IAEA) are summarized in this paper. A design scheme of DiD for I&C system of Nuclear Power Plant (NPP) is introduced. in this paper. The compliance of DiD design for I&C system with the requirements of IAEA is analyzed. The analysis concludes that the I&C design scheme basically meets the requirements of IAEA. At the same time, the improvement of diversity should be further studied. The study of this paper provides valuable reference for the continuous improvement of the design of I&C systems in NPP. Keywords: DiD · Independence · Diversity

1 Introduction DiD is implemented primarily through the combination of a number of consecutive and independent levels of protection that would have to fail before harmful effects could be caused to people or to the environment. If one level of protection or barrier were to fail, the subsequent level or barrier would be available. The independent effectiveness of the different levels of defence is a necessary element of DiD. After Fukushima nuclear accident, the design concept of DiD of new NPP has been further developed. Higher targets are put forward for the DiD levels and the independence between DiD levels. The development of this design concept is introduced in IAEA Safety Standards Series No. SSR-2/1 [1], Safety of NPP: Design. The concepts of Design Extension Condition (DEC) and practical elimination are introduced for the first time. The purpose of the fourth level of DiD is adjusted from “address severe accidents in which the design basis may be exceeded and to ensure that radioactive releases are kept as low as practicable” to “mitigate the consequences of accidents that result from failure © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 164–176, 2021. https://doi.org/10.1007/978-981-16-3456-7_18

Design of Defence in Depth for I&C System

165

of the third level of DiD”. Furthermore, the independence requirement between each level of DiD is emphasized. For the I& C system of NPP, it is necessary to provide monitoring and control means for the process systems which are included in all levels of DiD. On the other hand, the I&C system itself should also meet the design requirements of DiD to ensure that the failure of one level of defence is compensated for by the following one. This paper summarizes the design requirements of DiD of I&C system in IAEA and introduces a design scheme of DiD for I&C system of NPP.

2 Requirements of IAEA 2.1 Requirements of IAEA SSR2/1 IAEA SSR2/1 defines design requirements for the structures, systems and components of a NPP, as well as for procedures and organizational processes important to safety which are required to be satisfied for safe operation and for preventing accidents which could jeopardize safety, or for mitigating the consequences of such accidents, were they to occur. The Levels of DiD IAEA SSR2/1 defines five levels of defence: – The first level of defence can prevent deviations from normal operation and the failure of items important to safety. This level of defence requires that the plant be soundly and conservatively sited, designed, constructed, maintained and operated in accordance with quality management and appropriate and proven engineering practices. In order to satisfy these targets, careful attention is paid to the selection of materials and appropriate design codes, and to the quality control of the manufacture of items and construction of the plant, as well as to its commissioning. Design options that reduce the possibility of internal hazards contribute to the prevention of accidents at this level of defence. – The the second level of defence can detect and control deviations from normal operational conditions to prevent anticipated operational occurrences (AOOs) from escalating to accident states at the plant. Despite the care taken to prevent postulated initiating events (PIEs), the (PIEs) are likely to occur over the operating lifetime of a NPP. The second level of defence requires the provision of specific systems and features in the design, the confirmation of their effectiveness by safety analysis, and the establishment of operating procedures to prevent such initiating events, or otherwise to mitigate their consequences, and to return the plant to a safe condition. – For the third level of defence, it is assumed that, although very unlikely, the escalation of certain AOOs or PIEs might not be controlled at a preceding level and that an accident could develop. Such accidents are postulated to occur in the design of the plant which requires that inherent and/or engineered safety features, safety systems and procedures can prevent damage to the reactor core or prevent radioactive releases which require off-site protective actions and return the plant to a safe condition.

166

T. Fu et al.

– The fourth level of defence can minimize the consequences of accidents which result from failure of the third level of DiD. This is achieved by preventing the progression of such accidents and minimizing the consequences of a severe accident. The safety target in the case of a severe accident is that only protective actions that are limited in terms of lengths of areas and time of application would be necessary and that offsite contamination would be avoided or mitigated. Accident sequences which would lead to an early radioactive release or a large radioactive release are required to be practically eliminated. – The fifth and final level of defence can minimize the radiological consequences of radioactive releases which could possiblely result from accidents. This requires the provision of adequately equipped emergency response facilities and emergency procedures and emergency plans for on-site and off-site emergency response.

Application of DiD The DiD design shall be incorporated in the design of a NPP. The levels of DiD shall be independent as far as is practicable. The design shall ensure that an escalation to accident conditions for all failures or deviations from normal operation which are likely to occur over the operating lifetime of the NPP can be prevented by the first, or at most the second, level of defence. The levels of DiD shall be independent as far as practicable to avoid the failure of one level influencing other levels. In particular, safety systems shall as far as is practicable be independent of safety features for DECs (especially features for mitigating the consequences of accidents involving the melting of fuel). 2.2 Requirements of IAEA TECDOC 1791 [2] IAEA TECDOC 1791 provides insights and approaches in support of the practical application of the new crucial requirements described in IAEA SSR2/1. DiD Strategy IAEA TECDOC 1791 describes two different approaches of DiD (see Table 1). – Approach 1, i.e. the association of DECs without core melt to level 3, has the advantage that each level has clear targets regarding the progression of the accident and the protection of the barriers, i.e. level 3 to prevent damage to the reactor core and level 4 to mitigate severe accidents for preventing off site contamination. – Approach 2, i.e. the grouping of DECs without core melt and with core melt in level 4, facilitates however the differentiation between the set of rules for design and safety assessment to be applied for DECs from those for DBA. The formulation of the Approach 1 is used in the IAEA TECDOC 1791.

Design of Defence in Depth for I&C System

167

Table 1. Levels of DiD For the design of new NPP.

Design for Effective Independence of Levels of DiD Safety features which are designed to minimize the consequences of core melt accidents need to be independent from features which are designed to mitigate DBAs. Level 3 needs to be independent from levels 1 and 2 as far as reasonably practicable. The ability of the safety systems to execute their function would not be jeopardized by

168

T. Fu et al.

a postulated single initiating event, or by failures of systems which are designed for normal operation and AOOs in order to avoid challenging excessively levels 3b or 4. This includes also shared support systems between these levels. Safety features for DEC which are designed to backup SSCs performing safety functions, need to be independent from SSCs postulated to fail in the accident sequence. The safety features performed in level 3b are used to control multiple failures affecting a safety system. Systems which are designed to control AOOs would be independent from systems for normal operation as far as reasonably practicable. Generally, AOOs are controlled by non-safety systems and ultimately by the reactor trip system. A postulated single initiating event or single equipment failure of systems designed for normal operation would not jeopardize the ability of the reactor trip system to execute its functions. The diverse safety features implemented in level 3b (e.g. with Diverse Actuation System (DAS) I&C system) are used to control multiple failures resulting in the total loss of the reactor trip system. Limitations systems (level 2) usually share components with the control systems. A full independence of these systems might lead to excessive complexity which is not justified by the benefits to safety.

Independence of Levels of DiD in Relation to I&C Systems I&C systems have a relevant role for executing safety functions in all levels of DiD. The correspondence between the level of DiD and the different functions together with some recommendations to enhance independence of different levels are summarized below: – Level 1. To this level belong the functions necessary to operate the plant during normal operation modes and to maintain the main plant parameters within the specified range. – Level 2. To this level belong the functions to prevent AOOs from escalating into accident conditions. This level also includes the reactor trip function and the limitation functions which are designed to control AOOs without activating the reactor trip as much as possible. – Limitations system (level 2) need to be separated from the operational I&C (level 1) to the extent feasible. Separation may not be performed where it would lead to increase significantly the number of data transfer between these two I&C systems (e.g. between I&C limitations and controls where the controlled equipment is the same). – Level 3. To this level belong the functions which are designed to automatically control design basis accidents (DBAs) without exceeding acceptance criteria and the functions which are designed to bring and to maintain the reactor in safe shutdown state following a DBA. – Initiation of reactor trips and safety systems need to be processed in a separated and independent I&C system from the I&C systems which are used for operational states and the I&C systems which are used for level 3b. It is necessary to ensure that failures of systems classified in a lower safety class will not prevent the Reactor Protection System (RPS) from executing its functions. Back up functions which are used to prevent that combinations of PIEs with CCFs in the I&C systems escalate to a core melt accident belong to level 3b.

Design of Defence in Depth for I&C System

169

– Level 4. I&C systems dedicated to the mitigation and monitoring of a core melt accident need to be separated and independent from any other I&C systems. This requires the independence of their respective power sources. In existing designs, some I&C functions may be executed by a single I&C system in order to reduce the volume of data to communications and exchange within I&C systems. That may be the case for some limitation and control functions, or with the RPS which often performs both the reactor trips and the actuation of the safety systems. In that case the physical separation is not required but the functions need to be decoupled. Independence is intended to prevent the propagation of failures from system to system or between redundant channels and is achieved by implementing communication independence, functional independence and avoiding interconnections in I&C systems. The data transfer needs to be secured and the shared signals decoupled (e.g. Data transfer between the redundant channels of the RPS are necessary for the voting logic) if independence is not implemented. Physical separation is intended to prevent CCFs due to internal hazards. Considerations About Sensors The efficacy of all four levels depends upon sensor response but this does not imply that all sensors must be diverse or independent. Nevertheless the independence between systems assigned to different levels of DiD, and between redundant trains of a safety system, must not be jeopardized by the sensors (e.g. redundant trains within a safety system must not share instrumentation). The following considerations apply: – Diversity and independence between the DAS and the RPS must not be impaired by sensors to the extent possible. – Monitoring the key parameters for the management of DBAs and DECs without significant fuel degradation would also be possible using sensors different from those used to initiate the operation of the safety systems and DEC safety features respectively. Sensors which are used for the protection and for the monitoring would not fail because of a common cause to the extent possible. – Monitoring the key parameters for the management of core melt accidents need to be to the extent possible executed by dedicated sensors, and in particular it need not be dependent on the power source which is used for DBA management. Sharing sensors with other DiD levels may be acceptable provided the sensors are qualified for the environmental conditions prevailing in case of a severe accident and an adequate number of redundant sensors are performed with effective independence and separation. In this case the shared sensors need to provide input to different I&C systems only through appropriate devices. The DAS needs to be separated, independent and diverse from the RPS. – Sharing sensors between levels 1, 2 and 3a may be acceptable provided an adequate number of redundant sensors are implemented with effective independence and separation. In this case the shared sensors need to provide input to different I&C systems only through appropriate isolation and buffering devices.

170

T. Fu et al.

– It is a good practice to rely on different physical parameters to minimize the consequences of failure of sensors due to common causes for the monitoring of plant parameters or for the automatic actuation of safety systems in accident conditions. 2.3 Requirements of IAEA SSG-39 [3] IAEA SSG-39 provides recommendations about the design of I&C systems to satisfy the requirements described in IAEA SSR2/1. IAEA SSG-39 provides guidance about the overall I&C architecture and about the I&C systems important to safety in NPP for meeting the safety argets of the plant. Design Basis for I&C Systems The functions which are allocated to the I&C systems include those functions which provide control and information capabilities relevant to operation of the plant in the various modes of operational states and in accident conditions. The targets of these functions, corresponding to the concept of DiD, are to: – – – – –

Prevent deviations from normal operation; Detect failures and control abnormal operations; Control accidents which are within the plant design basis; Mitigate consequences in DECs; Minimize the radiological consequences of accidents.

DiD within the overall I&C architecture is achieved by means of independent lines of defence, so that the following line of defence can compensate for the failure of one line of defence. The overall I&C architecture should neither compromise the independence of the different levels of the DiD applied at the plant., nor the independence of safety system divisions 2.4 Summary There is not a unanimous understanding about the association of all the levels of DiD with the plant states established in SSR-2/1. The point of discrepancy is the association of DECs without core melt to one of the levels of DiD established in SSR-2/1. Some Member States associate them to the level 4 and others associate them to the level 3. The requirements of DiD in IAEA are as follows: – Initiation of reactor trips and safety systems need to be processed in a independent and separated I&C system from the I&C systems which are used for normal operation and the I&C systems which are used for level 3b. – I&C systems which are dedicated to the monitoring and mitigation of a core melt accident need to be independent and separated from any other I&C systems. This requires the independence of their respective power sources.

Design of Defence in Depth for I&C System

171

– A single I&C system may perform some I&C functions. That may be the case for some limitation and control functions, or with the RPS which often processes both the reactor trips and the actuation of the safety systems. – The DAS needs to be independent, separated and diverse from the RPS. – Monitoring the key parameters for the management of core melt accidents need to be to the extent possible executed by dedicated sensors. – Sharing sensors between levels 1, 2 and 3a may be acceptable provided an adequate number of redundant sensors are performed with effective independence and separation. – It is a good practice to rely on different physical parameters to minimize the consequences of failure of sensors due to common causes for the monitoring of plant parameters in accident conditions or for the automatic actuation of safety systems.

3 Design of DiD for I&C System 3.1 DiD of I&C System The I&C system implement the following functions: – Monitor the plant to provide the necessary information, during Operational states and accident conditions. – Maintain the operating parameters of process systems or equipment within the stipulated limits of the operating states. – Initiate mitigation functions to ensure the power plant reach safe state and to limit radioactive release to the environment in accident conditions. New overall I&C architecture shown in Fig. 1 is designed in this paper. New I&C defence lines within the overall I&C architecture are established to support the plant DiD levels which is in accordance with the approach 1 in IAEA TECDOC 1791. The I&C defence lines are as follows: – Preventive line of defence. This defence line controls main plant parameters within their expected operating range and prevents potential deviations from normal operation. This defence consists of CLS which performs control and limitation function in normal operation states. – Main line of defence: This defence line mitigates the consequences of DBAs and brings the plant to the safe state. This defence line consists of RPS which performs reactor trip, engineered safety feature actuation and other post-accident mitigation functions under DBA. – Diverse defence line: This defence line mitigates the consequences of the DBAs concurrent with the CCF of the main line of defence. The technology implemented by diverse defence line is fundamentally diverse from the technology implemented by main line of defence. This defence line consists of DAS which provides a diverse means of reactor trip and engineered safety feature actuation that is not affected by the postulated CCF

172

T. Fu et al.

SAP

DHP

DEC-A P

ECP

Operational OWP

Safety OWP

Hardware Logic SA I&C

DEC-A I&C

DAS

CLS

RPS

Isolation and Distribution

Priority Management

ECP

SA sensors SA sensors actuators

Sensors Actuators

actuators

RTB

Sensors Actuators

sensors

SAP: Severe Accident Panel DHP: Diverse Human Interface Panel DEC-AP: Design Extension Condition A Panel ECP: Emergency Control Panel OWP: Operator Workplace

Hardwire Communication

SA I&C: Severe Accident I&C System DAS: Diverse Actuation System DEC-A I&C: Design Extension Condition A I&C System RPS: Reactor Protection System CLS: Control and Limitation System RTB: Rector Trip Breaker

Fig. 1. Overall I&C architecture

– Risk reduction line: This defence line mitigates the consequences of DECs without core melt (failures in mechanical systems); This defence line consists of DEC-A I&C. – Severe accident defence line: This defence line performs the managing and monitoring functions under severe accident with independent Uninterruptible Power Supply. This defence line consists of SAI&C. The priority management module, isolation and distribution module adopt the hardware circuit technology to reduce the risk of CCF The relationship between lines of defence and levels of plant DiD, as well as I&C systems at each defence line is shown in Table 2.

Design of Defence in Depth for I&C System

173

Table 2. Defence lines of I&C corresponding to levels of DiD of the plant Plant DiD level

I&C lines of defence

System

Preventive line

CLS

Prevention of abnormal operation and failures

1

Control of abnormal operation and detection of failures

2

Control of DBAs

3a

Main defence line

RPS

Control of DECs to prevent core melt

3b

Diverse defence line

DAS

Risk reduction defence line

DEC-A I&C

Control of DECs to mitigate the consequences of severe accidents

4

Severe accident defence line

SAI&C

3.2 Compliance Analysis with Requirements of IAEA The compliance analysis between DiD design and requirements of IAEA is shown in Table 3. Table 3. Compliance analysis between requirements of IAEA and DiD design Requirements of IAEA

Compliance analysis

Result

Initiation of reactor trips and safety systems need to be processed in a separated and independent I&C system from the I&C systems used for operational states and the I&C systems used for level 3b

The RPS is independent from the DAS and DEC-A I&C. See subclause 3.3 for details

Satisfied

I&C systems dedicated to the mitigation and monitoring of a core melt accident need to be separated and independent from any other I&C systems. This requires the independence of their respective DC power sources

The SAI&C is independent from other systems. See subclause 3.3 for details

Satisfied

Some I&C functions may be executed by a single I&C system. That may be the case for some control and limitation functions, or with the RPS which often processes both the reactor trips and the actuation of the safety systems

The CLS executes control and limitation function in normal operation states. The RPS executes reactor trip, engineered safety feature actuation and other post-accident mitigation functions under DBA

Satisfied

(continued)

174

T. Fu et al. Table 3. (continued)

Requirements of IAEA

Compliance analysis

Result

The I&C backup system (DAS) needs to The DAS is separated, independent and be separated, independent and diverse diverse from the RPS. See subclause 3.3 from the RPS and 3.4 for details

Satisfied

Monitoring the key parameters for the The sensors used for management of management of core melt accidents need core melt accidents are dedicated and to be to the extent possible executed by employed by the SAI&C dedicated sensors

Satisfied

Sharing sensors between levels 1, 2 and 3a may be acceptable provided an adequate number of redundant sensors are implemented with effective separation and independence

The RPS and CLS share some common Satisfied sensors. These signals are collected by the RPS and transfered to the CLS by the isolation device which is classified as part of the RPS

For the automatic actuation of safety The reactor trip function in the RPS can systems or for the monitoring of plant be initiated by at least two functional parameters in accident conditions, it is a diverse parameters good practice to rely on different physical parameters to reduce the consequences of failure of sensors due to common causes

Satisfied

3.3 Independence Analysis Independence Between the Main Defence Line and Preventive Line The RPS is separated from the CLS by appropriate distances or physical barriers in accordance with IEC 60709 [4]. For the signal exchange between the RPS and the CLS, the electrical isolation and communication isolation in accordance with IEC 60709 is achieved to prevent the failure propagation from the CLS to the RPS. The isolation device is classified as part of the RPS.

Independence Between the Main Defence Line and Diverse Defence Line, Risk Reduction Line The RPS, DAS and DEC-A I&C are seismically qualified, so the physical barriers or distance between them is not required. There is no communication between the RPS, DAS and DEC-A I&C. For the hardwired interface between the RPS, DAS and RPS, the electrical isolation in accordance with IEC 60709 is achieved to prevent the failure propagation from the DAS and DEC-A I&C to the RPS. The isolation device is classified as part of the RPS. The sensors employed by the DAS are different from the sensors employed by the RPS.

Design of Defence in Depth for I&C System

175

Independence Between the Severe Accident Defence Line and Other Defence Lines The SAI&C is seismically qualified and separated from the non-seismically qualified system by appropriate distances or physical barriers in accordance with IEC 60709. There is no hardwired interface between the SAI&C and other systems. For communication the between the SAI&C and the CLS, the communication isolation in accordance with IEC 60709 is achieved to prevent the failure propagation from the CLS to the SAI&C. The sensors and actuators employed by the SAI&C is different from the sensors and actuators employed by other systems. The power source of the SAI&C is independent from the power source of other systems. 3.4 Diversity Analysis The diversity principle is applied to the overall design of I&C systems through signal diversity, equipment diversity and function implementation diversity to cope with CCF. – Signal diversity: a safety action is initiated based upon the value of different plant parameters. The reactor trip function in the RPS can be initiated by at least two functional diverse parameters corresponding to the same DBA in the I&C design; – Equipment diversity: The RPS and the DAS are implemented by diverse technology. When the RPS (the main defence line) is unavailable due to the CCF, the DAS (the diverse defence line) can perform the required functions. – Function implementation diversity: In addition to automatic function, manual reactor trip, engineered safety feature actuation function can be realized by ECP. The command from ECP is realized by hardware logic and bypass digital system.

4 Conclusion The design of DiD for I&C system in this paper meets the requirements of DiD level design, independence and diversity proposed by IAEA. However, optimization can be continued in the following areas: – The diversity can be improved. The CLS, RPS and DAS all adopt different platforms. – For the equipment shared by multiple DiD levels, such as priority management module, isolation and distribution module, Attention should be paid to the requirements of the latest international regulations and standards, and the international good experience feedback practice. The mechanism of CCF is studied. The appropriate improvement measures are taken to deal with the CCF. The design of the I&C system should be consistent with the overall DiD concept of the NPP. However, there are certain characteristics in the I&C system. For example, while emphasizing the independence and diversity of DiD levels, consideration should be taken to avoid excessive complexity of the I&C system. The cost and maintainability of the I&C system should also be considered

176

T. Fu et al.

References 1. International Atomic Energy Agency, SSR 2/1: Safety of Nuclear Power Plants: Design. IAEA, Vienna (2016) 2. International Atomic Energy Agency, TECDOC 1791: Considerations on the Application of the IAEA Safety Requirements for the Design of Nuclear Power Plants. IAEA, Vienna (2016) 3. International Atomic Energy Agency, SSG-39: Design of Instrumentation and Control Systems for Nuclear Power Plants. IAEA, Vienna (2016) 4. International Electrotechnical Commission, IEC 60709: Nuclear power plants - Instrumentation, control and electrical power systems important to safety – Separation. IEC, Geneva (2018)

Test Analysis About Hydrogen Detection Equipment Under Severe Accident in Nuclear Power Plant Dan Xu1 , Zhou Xiao1 , Ya-Jie Tian1 , and Xiao-Ming Qian2(B) 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected] 2 Nuclear and Radiation Safety Center, MEE, Beijing 100082, China

Abstract. Fukushima accident has caused serious damages to public health and environment. Licensees of nuclear power plants in China are required to take measures to prevent severe accident happening. Control and detection hydrogen in containment under severe accident is one of the improvement actions. This article has analyzed the requirements for hydrogen detection system and related tests requirements for this detection system. A comparison of IEC 61298 and IEC 61779 is made to find tests should be carried on a new developing detection system/equipment. Nuclear qualification tests also have been considered. One testing system frame has been put forward. Keywords: Severe accident · Hydrogen detection · Testing system

1 Introduction Explosions happened in Fukushima accident has reminded nuclear authorities in different countries of big damages caused by flammable and explosive gas in containment under severe accident. China National Nuclear Safety Administration (NNSA) has set up the General Requirements for Nuclear Plant Safety Improvement Actions after Fukushima Accident [1]. The hydrogen detection in containment under severe accident is one of these actions. Due to the radioactive environment in the containment, ordinary hydrogen detection equipment isn’t applicable. After the hydrogen detection improvement requirement being published, several instrument manufactures start to develop sensors which can meet the needs of nuclear plants. There are quite a lot of hydrogen detection principles [2]. Hydrogen sensitive alloy is one of them. Hydrogen sensitive alloy can catch hydrogen atom and form a structure showing electrical feature which reflects the hydrogen concentration in the environment. Another one or more elements added in the alloy could ameliorate the fragile problem due to high hydrogen concentration and improve its detection performance. The detection equipment made of this principle can have small size and little hydrogen consumption merits. Here after this kind of sensor is named as Alloy-film sensor [3]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 177–185, 2021. https://doi.org/10.1007/978-981-16-3456-7_19

178

D. Xu et al.

This article is to analyze the tests should be carried on a new developing hydrogen detection system/equipment which is based on the Alloy-film sensor.

2 Hydrogen Detection Requirement Analysis 2.1 Requirements on System Level The General Requirements for Nuclear Plant Safety Improvement actions after Fukushima accident published by NNSA is a high level input for hydrogen detection system design and equipment development [1]. Considering the hydrogen control system, the hydrogen concentration in containment should be controlled under 10%. The classification and performance requirements of the hydrogen detection system/equipment are specified by the plants. Quality managements, qualifications or tests are applied to corresponding level of standards. Detailed analysis for the applicable standards is discussed in article [4]. The operation environment for hydrogen detection equipment is related with the design of detection system. There are two main types of the hydrogen detection system which are distinguished by hydrogen sensor location, inside or outside of the containment [5]. The type of sensor locating inside of the containment is chosen as precondition for the test analysis in this article. 2.2 Requirements on Equipment Level The hydrogen detection system discussed in this article mainly contains hydrogen sensor, signal transformation cabinet, environment parameter compensation components, connectors and protection enclosure. These components can be divided into two groups, self-developed components and market purchase components. Test of self-developed components should focus on the re-productivity and stability of the sensor. For the standard commercial components which can be purchased from market, it’s important to inspect documentations or records which can support the usage of one component. These include user manual, performance features, operation feedback and potential risk judgment. Adequate analysis should be made before making choice. These components shouldn’t introduce danger or risk for the safety operation of the system. Normal operation of the hydrogen detection system under defined situations should be guaranteed by the equipment.

3 Design of the Testing System 3.1 Testing Requirement Analysis As one kind of instrument, the hydrogen detection equipment should consider the tests mentioned in IEC 61298, and those in IEC 61779 which is a standard for hydrogen [6, 7]. Qualification tests following nuclear power standards also need to be analyzed.

Test Analysis About Hydrogen Detection Under Severe Accident

179

Standard IEC 61298 and IEC 61779 are compared to sort out general testing requirements for system/equipment performance under normal ambient conditions [6, 7]. Qualification test is performed after the hydrogen detection performance tests under normal ambient condition. Some performance tests are used to judge if the system/equipment has pass the challenge of the qualification tests. 3.2 Testing Requirement Under Normal Ambient Condition Test Sample and Test Sequence IEC 61298 has no requirement for sample quantity and testing sequence [6]. IEC 61779 gives requirements on sample and test sequence of type test in its Chapter 4.2; it allows changing test sample due to different test items [7]. Long-term stability test and environmental test (dust, poisons and high gas concentration) are carried on one sample which is different from the one used for other tests. For the situation discussed in this article, poisons which may impact function of the Alloy-film sensor don’t exist in containment and storage places of nuclear power plant. So poisons test isn’t applicable. Dust test can be covered by IP class test of equipment. Test on Accuracy IEC 61298 suggests carrying three or five cycles for type test [6]. Every cycle includes up and down directions, eleven test points and location at every 10% of the input span. Tests are to confirm the inaccuracy, maximum measured error, non-linearity and nonrepeatability. IEC 61779 demands the calibration to be performed three times consecutively at the points of four volume ratios evenly distributed over the measuring range [7]. For the response characteristics test, a minimum of three points spreading evenly between 20% and 100% of the measuring range needs to be checked. Five cycles for type testing is suggested for the new developing detection system. Meanwhile, despite the check points required by standards, points to trigger alarms as defined in plant project requirement specification should be considered. Stability Test IEC 61298 sets requirements for start-up drift and long-term drift [6]. Testing time for the former is eight hours and for latter is thirty days. IEC 61779 cares about short-term stability and long-term stability [7]. Short-term stability test is to check sensor indication value under the condition that the sensor has operated one hour in clean air and then changed to operate in hydrogen after ten minutes intervals. Long-term stability test is to check the indication value of the sensor after the detection system has continued working three months. Testing frequency of long-term stability test are different between IEC 61298 and IEC 61779 [6, 7].

180

D. Xu et al.

Variable Effects Test IEC 61298 takes several variables into consideration [6], like power, environment temperature, process fluid temperature and flow, static line pressure, atmospheric temperature, humidity, vibration, etc. IEC 61779 covers most of variables listed in IEC 61298 [6, 7]. For a special part, IEC 61779 considers the requirement for poisoning and other gases disturbing tests [7]. EMC effects are mentioned in both standards. This will be discussed in following qualification part. The Alloy-film sensor and its supporting components need to consider testing the influence of power changes, environment temperature and pressure, humidity and vibration. For high temperature vapor and vibration effects test, they will be discussed in following qualification part. Dynamic Test IEC 61298 checks the step response characteristic of sensor [6]. The output span changes from 10% to 90% and then reversely to 10% by triggering 10% changes of output span from a series of points. IEC 61779 requires a step change from clean air to standard test gas, corresponding response time t(50) and t(90) to be measured in each direction [7]. How to facilitate the realization of step change is a key point for a testing system. IEC 61779 has introduced a few of methods to carry [7]. The dynamic test for the new developing hydrogen detection system will consider t(90) as the judging criteria of response time. Over-Range Test IEC 61298 requires the over-range test to be performed by using the 50% value of the maximum and minimum span as input, and to check the changes of output for the minimum span [6]. IEC 61779 requires sensor to be subjected to a step change from clean air to 50% volume fraction of gas for three minutes, and then be changed to clean air for twenty minutes [7]. After that, check residual effect tests under standard test gas. Over range of the span usually needs to trigger alarm in the nuclear power plant operation, so 100% of maximum span is to be tested for the new developing hydrogen detection system. Others IEC 61779 sets requirements for safety degree of testing devices and preparation of standard gases [7]. It suggests methods for mixing standard gases by quoting ISO 6142/6145/6147. A Summary of these two standards comparison is shown in Table 1.

Test Analysis About Hydrogen Detection Under Severe Accident

181

Table 1. Summary of standard comparison

Test Standard

Sample quantity

Response Test

Accuracy

Repeatability

non-repeatability

IEC 61298 [6]

X

√

- inaccuracy - maximum measured error - non-linearity

IEC 61779 [7]

√

√

accuracy

X

Test Standard

Long-term stability

Alarm

Variables

Orientation

IEC 61298 [6]

√

X

√

√

IEC 61779 [7]

√

√

√

√

Test Standard

Selectivity

Poisons test

Over-range test

Power change test

IEC 61298 [6]

X

X

√

√

IEC 61779 [7]

X

√

√

√

EMC

Calibration kit

Drop

Others

Test Standard

Sample quantity

Response Test

Accuracy

Repeatability

IEC 61298 [6]

√

X

√

X

IEC 61779 [7]

√

√

NA

- standard gas - safety

Test

3.3 Qualification Tests for Nuclear Power Plant Qualification is to confirm the equipment performance reliability under defined working environment. There are different qualification tests according to equipment’s safety

182

D. Xu et al.

importance and installation environment. The commonly used standards for hardware qualification include RCC-E, IEC 60780, IEEE 323 and KTA 3503 [8–11]. Considering the possible situation of the hydrogen detection system/equipment, following qualification tests are to be carried out: – – – – – – – –

aging tests EMC tests Seismic tests Radiation tests Thermal environment tests Aerosol tests Explosion proof tests Software V&V analysis and test The qualification sequence depends on the qualification standard to be used.

3.4 Testing System Design Considering all the testing requirements, a testing system can fulfill tests under normal ambient conditions and thermal environment test is built. This system can be used to check main performance features of the hydrogen detection system/equipment after some qualification tests, like aging tests and EMC tests. Test Chamber Hydrogen accumulates in the upper space of the containment under severe accident, in the way of natural diffusion. Gas flow and velocity are thought to be zero. A test chamber should provide adequate space to simulate real environment and install sensor in it. 30 L is suggested by ISO 26142 [12]. Steam producing system and thermal insulation system need to be added to support the thermal environment test. Response Test The hydrogen concentration in the test chamber can’t be stabilized immediately. This influences the defining of start moment for response test. The required response time for the hydrogen detection equipment is counted by minutes. If the claimed response time of the manufacture is obviously shorter than the required time, the hydrogen concentration stabilizing time won’t influence the judgement of the test result. Because of this, the starting point of the response test can be set at the moment to begin injecting gas into the chamber. If the time difference isn’t huge, the method introduced in ISO 62142 [12] (Fig. 1) can be used, that is to open small box containing sensor to let the sensor touch the gas suddenly.

Test Analysis About Hydrogen Detection Under Severe Accident

183

Fig. 1. Small box used for response time

Control System of Test Gas Concentration The purpose of the test gas concentration control system is to provide the testing needed hydrogen volume concentration in test chamber by controlling the flow of different gases. Based on ideal gas equation of state, calculation of gas mass quantity is shown in Eq. (1). Compressibility factor for gas real state should be considered in tests. pV = nRT V =



vi

then ni =

pi vi RT

(1)

The design of the test gas concentration control system has considered the control method (b) introduced in article [13]. The chamber and pipes are to be purged with gas of known composition, and then the test chamber is vacuumed by device to a preset degree. The open position of inlet valves and mass flow value are acquired by controller. Valves are to be closed when the predefined value is reached. Schematic diagram is shown in Fig. 2. Reference sensor is set at the exhaust line of test chamber by using a diverse hydrogen detection principle, this is to validate if the test gas concentration is the value as planned.

184

D. Xu et al.

Fig. 2. Gas control schematic diagram

3.5 Testing Environment Testing room should be broad enough to prevent explosion risk caused by hydrogen leakage. Install leakage detectors at potential areas to help confirm the environment safety and trigger alarms in time when leakage happens. Testing area, monitoring area and exhaustion area need to have adequate physical isolation. Hydrogen in exhaustion area should be diluted adequately by ventilation. Figure 3 shows a schematic diagram combined with above analysis.

Fig. 3. Testing system schematic diagram

4 Testing System Application The testing system discussed in this article is used in the development of one new hydrogen detection system which is based on Alloy-film sensor. This detection system aims at being used in second and third generation of pressurized water reactor nuclear power plant. Along with the development, the testing system isn’t fixed and non-changeable. With the help of several findings happened during large quantities of tests, some adjustments on the testing system are made. For example, chamber with larger volume is used for

Test Analysis About Hydrogen Detection Under Severe Accident

185

thermodynamic test than the one for normal condition tests; manufacturing materials with higher level for some components of the testing platform are applied in order to prolong their life; some suggestions mentioned in ISO 26142 are considered for the resting realization, like acceptance criteria for testing on low part of the detection range.

5 Summary For the hydrogen detection equipment to be used in containment of nuclear power plant, tests following normal industry and nuclear industry standards should be implemented. Due to the hydrogen characteristics, special attention should be paid to the safety during these tests. The testing system designed in this article has covered those tests requirements and conditions applicable for pressurized water reactor nuclear power plant. But the realization of the testing system isn’t so perfect, findings occurred during the testing process help make improvement for the testing system. To modularize the steam producing subsystem to quickly create thermodynamic environment can greatly improve the testing efficiency, this is the improvement target for the testing system discussed in this article.

References 1. China National Nuclear Safety Administration: General Requirements for Nuclear Plant Safety Improvement Actions after Fukushima Accident (2012) 2. Buttner, W.J., Post, M.B., Burgess, R., Rivkin, C.: An overview of hydrogen safety sensors and requirements. Int. J. Hydrogen Energy 36(3), 2462–2470 (2011) 3. Feng, Y.: Studies of Palladium-Silver Thin Film for Hydrogen Sensing. Master dissertation of Zhejiang University, March 2006 4. Xiao, Z., Liu, Z.-Y., Xu, D.: Analysis of the design standards for severe accident related instrument systems. Process Autom. Instrum. 36, 18–21 (2015) 5. Xiao, Z., Jiang, X.-Y.: Discussion on the design of containment hydrogen concentration monitoring system under severe accident. Chin. J. Nucl. Sci. Eng. 31(2), 35–40 (2011) 6. International Electrotechnical Commission: IEC 61298: Process measurement and control devices - General methods and procedures for evaluating performance (2008) 7. International Electrotechnical Commission: IEC 61779: Electrical apparatus for the detection and measurement of flammable gases (1998) 8. AFCEN: RCC-E: Design and construction rules for electrical equipment of PWR nuclear islands (2012) 9. International Electrotechnical Commission: IEC 60780: Nuclear power plants - Electrical equipment of the safety system - Qualification (2016) 10. Institute of Electrical and Electronics Engineers: IEEE 323: IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations (2003) 11. The Nuclear Safety Standards Commission (Kerntechnischer Ausschuss): KTA 3503: Specific acceptability test of electrical subassemblies of the reactor protection system (2015) 12. ISO 26142: Hydrogen detection apparatus- Stationary applications. International Standard (2010) 13. Salyk, O., Castello, P., Harskamp, F.: A facility for characterization and testing of hydrogen sensors. Meas. Sci. Technol. 17, 3033–3041 (2006)

Research of Advanced Control Algorithm in Primary Loop Control System Zhi-Guang Deng(B) , Bi-Wei Zhu, Qian Wu, Peng He, Mei-Qiong Xiang, Tao Xu, and Yue Qing National Key Laboratory of Science and Technology on Reactor System Design Technology, Chengdu 610213, China

Abstract. The primary loop system of nuclear power plant is a large-scale control system with serious coupling between loops and complex objects. In order to solve the problem of integrated control of primary loop core power, stabilizer pressure and water level, and steam generator water level, this paper applies improved predictive control algorithms to each sub-control system on the basis of mechanism modeling. For the strong non-linear problem of water level control, a multi-model predictive controller is constructed through linearization at each typical operating point. The simulation results show that the application of advanced predictive control algorithm to the primary loop control system has achieved good control performance, and it also lays a solid foundation for subsequent practical engineering applications. Keywords: SDMC · Multi-model DMC · Primary core power · Water level of regulator · Water level of steam generator

1 Introduction The primary loop system of the reactor includes many complex sub-control systems such as core power, pressure and water level of regulator, water level of steam generator, etc. The coupling between the sub-systems is serious and the object model is complex [1, 2]. At present, the primary subsystem of nuclear power plant mostly adopts the traditional PID control algorithm, which has achieved good control effect. However, the control performance still needs to be further improved during the period of frequent load fluctuation and serious internal and external disturbance of the system [3, 4]. Advanced predictive control has the advantages of low model requirements, selfdecoupling and strong robustness [5]. And the improved stepped predictive control has the advantages of simple principle, convenient on-line debugging, avoiding complicated matrix inversion which is more suitable for engineering practice [6, 7]. In this paper, the stepped dynamic matrix algorithm is applied to the core power control system, the water level and pressure multivariable control system of the regulator, At the same time, for the strong nonlinearity of the steam generator water level object, a multimodel switching predictive controller is constructed. Through hot start and variable load simulation experiments, the feasibility and superiority of the advanced predictive control algorithm applied to the reactor primary loop control system are known. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 186–198, 2021. https://doi.org/10.1007/978-981-16-3456-7_20

Research of Advanced Control Algorithm

187

2 Primary Loop System Model 2.1 Core Power Model The core power model in this paper selects the core state space model established in reference [8], as shown in formula (1):  x˙ = Ax + Bu (1) y = Cx + Du Where x is a state space variable; x˙ is the derivative of x; y is the state space output; A, B, C and D are coefficient matrices, and u is state space input. State space variables, state space outputs and state space inputs are selected as follows: ⎧ ⎨ x = [ δn δc δTf δT1 δρr ]T (2) y = [δn] ⎩ u = [Zr ] where ⎡

β −

α

λ f β −λ 0  ff  P μf 0 0 − μf

αc 2

⎢ 0 ⎢ ⎢  ⎢ A=⎢ 2μf ⎢ 1−ff  2M + ⎣ μc P 0 μc − 2μc 0 0 0 0

B = 0 0 0 0 Gr

n0 

⎤

⎥ ⎥ ⎥ ⎥ ⎥ ⎥ 0⎦ 0

0 0



C= 10000 D = [0] Where δ n is the deviation of the neutron density and the equilibrium position, m−3 ; δ c is the amount of change in the precursor nuclear concentration, m−3 ; δT f , δT 1 , δρ r are the average fuel temperature, coolant outlet temperature, and control rod movement, respectively introduced reactivity. The relevant quantities in the coefficient matrix are shown in reference [8]. The above state space model is transformed into a transfer function model and discretized as follows: 2.649z −1 − 5.812z −2 + 4.16z −3 − 0.9604z −4 − 0.002953z −5 1 − 3.055z −1 + 3.439z −2 − 1.689z −4 + 1.096e−017 z −5

(3)

188

Z.-G. Deng et al.

2.2 Pressure and Water Level Model of Regulator Figure 1 is a simplified schematic diagram of a voltage regulator. The central idea of regulator model optimization is to regard the steam region and the liquid region as a control body, and establish energy, mass and volume conservation equations; Taking the mass, specific volume and enthalpy of each region as state variables, assuming that each state variable is independent of each other and is a function of temperature, the binary equations with temperature change and liquid mass change as unknowns are obtained, and the regulator parameters at the next moment are obtained. In this way, the solution of the model can be simplified without considering the mutual conversion between vapor and liquid [9, 10]. In order to establish a simplified mathematical model of the regulator, the following assumptions are made: 1) the internal pressure of the whole regulator is the same; 2) the volume of the whole regulator remains unchanged; 3) before and after the fluctuation, the liquid droplets formed by the condensation of spray water and steam reach a state of phase equilibrium with the steam when falling to the liquid level; 4) the influence of the condensation of steam on the wall surface of the regulator is ignored; 5) the vapor-liquid two phases are always in a saturated state. Wsp

Wrv

Wbs

nQ

Wps

Wsu

Fig. 1. Simplified schematic of regulator

According to the above assumptions, the mathematical model of voltage regulator is established. (1) Mass balance equation dM = dMG + dMF = (Wsu + Wbs + Wsp − Wps − Wrv )dt

(4)

(2) Energy balance equation (MF + dMF )(hF + dhF ) + (MG + dMG )(hG + dhG ) = MF hF + MG hG + dE

(5)

Research of Advanced Control Algorithm

189

Where: dE = nQdt + Wsu hsu + Wbs hbs + Wsp hsp 1 − Wps hF − Wrv hG + VdP J (3) Volume balance equation V = VF + VG = (MF + dMF )(vF + dvF ) + (MG + dMG )(vG + dvG )

(6)

(4) Water level equation If the upper and lower heads of the voltage stabilizer are hemispherical and the middle position is cylindrical, then: V =

π π 2 D H − D3 4 24

(7)

The meanings of each symbol are shown in the Table 1. Table 1. Symbolic meaning SIGN Meaning

SIGN

Meaning

W su

Coolant fluctuating flow, kg/s

Wsp

Spray flow rate, kg/s

W rv

Steam release flow rate, kg/s

Wbs

Replenishment flow rate, kg/s

W ps

Drainage flow, kg/s

Q

Power of single electric heater, kw

V

Effective volume of regulator, m

P

Regulator pressure, MPa

T

Regulator temperature, °C

M

Total mass of vapor-liquid phase in voltage regulator, kg

MG

Mass of steam in regulator, kg

MF

Mass of water in pressurizer, kg

dE

Energy change

VG

Volume of steam in regulator, m

VF

Volume of water in regulator, m

hF , hG H, h Enthalpy of liquid phase and vapor phase, kJ/kg

hsu

Wave enthalpy of water, kJ/kg

hsp

Spray water enthalpy, kJ/kg

vG

Steam contrast volume, m3 /kg

vF

Liquid contrast volume, m3 /kg

D

Internal diameter of regulator, m

H

Regulator water level, m

J

Coefficient of thermal equivalence n

Number of electric heating

190

Z.-G. Deng et al.

Taking the simulation data of a 900 MW nuclear power plant as the verification data [11], through deduction and simplification, the flyer function matrix of pressure and water level of the regulator is obtained as follows:      P G11 (s) G12 (s) pQ = G21 (s) G22 (s) vS H   −8 −6 =

9.98e s 8.51e−5 − s(23.5s+1)

1.19e s(19.2s+1) 2.52e−5 − s(33.35s+1)

(8)

Where p is the heater power and v is the opening of the charging valve. 2.3 Water Level Model of Steam Generator Figure 2 shows a typical PWR nuclear power plant steam generator water level control system [12, 13]. Where Qs is the steam flow rate; Qfw is the feed water flow rate; L is the set water level; Y is the water level. It can be seen that the water level process of the steam generator in PWR nuclear power plant can be expressed by the transfer function of two channels. According to the typical mathematical model of the water level process of the steam generator in PWR nuclear power plant provided in reference [13], the transfer function model is shown in Eq. (1) and Eq. (2). Among them, G0 (s) is the transfer function of the controllable channel of the water level process, and G1 (s) is the transfer function of the disturbed channel of the water level process. The parameters in these transfer function models change with the change of PWR power generation, as shown in Table 2.

Fig. 2. Water level control system of steam generator

G0 (s) =

g1 g2 g3 Y (s) = − + Gfw (s) s τ2 s + 1 s2 + 2τ1−1 s + τ1−2 + 4π T −2

(9)

g1 g2 Y (s) = − Gs (s) s τ2 s + 1

(10)

G1 (s) =

Research of Advanced Control Algorithm

191

Table 2. Parameter value evaporator level models under different power levels Power level/% 5

15

30

50

100

g1 /(mm/kg)

0.058 0.058 0.058 0.058 0.058

g2 /(mm/kg)

9.63

g3 /(mm/kg)

0.181 0.226 0.310 0.215 0.105

τ1 /s

41.9

26.3

τ2 /s

48.4

21.5

T /s

119.6 60.5

Qs /(kg/s)

57.4

4.46

1.83 43.4

1.05 34.8

0.47 28.6

4.5

3.6

3.4

17.7

14.2

11.7

180.8 381.8 660

1435

3 Advanced Predictive Control 3.1 Stepped DMC Stepped dynamic matrix is a predictive control algorithm that uses stepped strategy to solve the control rate on the basis of conventional dynamic matrix algorithm, making: ut = δ, ut+i = βut+i−1 = β i δ, 1 ≤ i ≤ M − 1 Where: M is the control time domain. Therefore, the control sequence at the future moment becomes:   U = ut ut+1 · · · ut+M −1   = δ βδ · · · β M −1 δ   = 1 β · · · β M −1 δ

(11)

(12)

As can be seen from Eq. (12), the control quantity U is stepped and changes stably and evenly, thus avoiding matrix inversion involved in the process of solving the control rate, simplifying the calculation amount and improving the stability. At the same time, the added constraints meet the requirements of actual engineering control, so they are more suitable for engineering applications [14]. Consider the following objective function: min J = U

P−1  i=0

−1  2 M yˆ k+i − wk+i + λ(uk+i )2 i=0

  T  Yˆ − W + λU T U = Yˆ − W

(13)

Where: P is the prediction time domain; Yˆ is the predicted value of the model. W is the set value; λ is the control matrix coefficient.

192

Z.-G. Deng et al.

The prediction equation of DMC about the prediction value of the model shown as Eq. (14), where Y 0 is the initial prediction value and S is the dynamic matrix. Yˆ = SU + Y 0

(14)

Combined with Eq. (11)–Eq. (14), the equivalent dynamic matrix of stepped predictive control algorithm is as follows: ⎛ ⎞ s1 0 · · · 0 ⎜s ⎟⎛ ⎞ 0 ⎜ 2 s1 · · · ⎟ 1 ⎜ . ⎟ .. ⎜ . ⎟⎜ β ⎟ . ⎜ . ⎟⎜ ⎟ SU = ⎜ ⎟⎜ ⎟δ ⎜ sM sM −1 · · · s1 ⎟⎝ ... ⎠ ⎜ . ⎟ .. ⎜ . ⎟ β M −1 ⎝ . ⎠ . sP sP−1 · · · sP−M +1 ⎛ ⎞ (15) s1 ⎜ ⎟ s2 + βs1 ⎜ ⎟ ⎜ ⎟ .. ⎜ ⎟  . ⎜ ⎟ = =⎜ ⎟δ Gδ ⎜ sM + βsM −1 + · · · + β M −1 s1 ⎟ ⎜ ⎟ .. ⎜ ⎟ ⎝ ⎠ . sP + βsP−1 + · · · + β M −1 sP−M +1 Where G is the column vector with the size of P × 1. Therefore, the prediction equation of Eq. (14) and the objective function of Eq. (13) in the stepped dynamic matrix prediction algorithm can be expressed as follows: Yˆ = Gδ + Y 0   min J = (Y 0 + Gδ − W)T (Y 0 + Gδ − W) + λ 1 + β 2 + · · · + β 2(M −1) δ 2 U

(16) (17)

 The objective function (17) is minimized to make ∂J ∂δ = 0, The control rate obtained is: δ=

GT (W − Y 0 )   GT G + λ 1 + β 2 + · · · + β 2(M −1)

(18)

3.2 Multi-model Predictive Control The nonlinearity of the main steam water level model is very serious under different power levels, so a multi-model switching predictive control algorithm is needed. Firstly, a DMC-based predictive controller is designed according to the linearization model at each power level. Finally, real time calculates the "distance" between the actual working point and the controller design working point, and sorts and weights the calculation

Research of Advanced Control Algorithm

193

results. As shown in Fig. 3, the control quantity input of the controlled object is calculated according to the following formula: u=

dindex+1 dindex uindex + uindex+1 dindex + dindex+1 dindex + dindex+1

(19)

Where: d index and d index+1 are the nearest and next closest “distances” between the actual working point and the designed working point of each controller respectively; uindx and uindx+1 are the output of the corresponding controller.

Local model 1 controller

sp

Local model n controller

Linear interpolatio n

Local model 1 "distance"

Local model n "distance"

Coordina ted control system model

pv

Sort

Fig. 3. Block diagram of multi-model predictive control

For the main steam water level control system, the “distance” formula is shown in Eq. (20):    ysp − yi    , i = 1, 2, · · · n (20) di =  ysp  Where: ysp and yi are the main steam water level at the actual working point and the main steam water level at the controller design working point i respectively.

4 Simulation Verification 4.1 Linkage Relationship Between Primary Loop Control Systems There is strong linkage and coupling between each loop of the primary loop control system. The relationship curves between core power and average temperature, average temperature and water level of regulator, power and water level of steam generator shown as Fig. 4, 5 and 6.

194

Z.-G. Deng et al.

Fig. 4. Relationship between reactor power and average temperature

Fig. 5. Relationship between average temperature and water level setting value of regulator

4.2 Overall Simulation of Primary Circuit After establishing the object mathematical models and corresponding predictive controllers of the primary core power control system, the regulator water level and pressure control system and the steam generator water level control system, the overall simulation environment is built in Simulink as shown in Fig. 7.

Research of Advanced Control Algorithm

195

Fig. 6. Relationship between reactor power and water level setting value of steam generator

N

Ysp

N-Ysp(mm) SG

Reactor

N

Tavg

N-Tavg

Tavg

Lsp

Tavg-Lsp(%)

PRZ

PRZ_Psp(MPa)

Fig. 7. Simulation diagram of primary loop control system

4.2.1 Reactor Hot Start-Up Simulation After flushing, air-release, deaerating, heating and pressuring up of the reactor coolant system, pressurizer forms the vapour space and reaches the rated temperature. Followed by decreasing the temperature and pressure, and raising the control rod to start the reactor until it reaches the critical state. Comparison of the simulation results is shown in Fig. 8.

196

Z.-G. Deng et al.

a) Core power curve

c) Regulator water level curve

b) Regulator pressure curve

d) Water level curve of steam generator

Fig. 8. Hot start simulation curve of primary loop control system

As can be seen from Fig. 8, during the thermal start-up simulation of the reactor, the core power quickly tracks the change of the set value, the response time is very short, the overshoot is less than 3%, and the water level of the regulator, pressure and steam generator also respond quickly, reaching the corresponding stable working point. 4.2.2 Variable Load Test Continuous payload change simulation is running in the payload tracing mode, making the power adjustment by decreasing the set value of the reactor output power, according to the requirements from the Grid. The set value of the reactor output power steps from 70% of the full power to 50%, then jumps to 30% after a stage of stabilization. The simulation experiment of load changes is shown in Fig. 9. It can be seen from the Fig. 9 that the core power can still quickly track the change of the set value, the pressure of the regulator and the water level of the steam generator fluctuate less, and the water level of the regulator changes correspondingly with the average temperature of the reactor because the average temperature of the reactor changes with the power.

Research of Advanced Control Algorithm

a) Core power curve

c) Regulator water level curve

197

b) Regulator pressure curve

d) Water level curve of steam generator

Fig. 9. Variable load simulation curve of primary loop control system

5 Conclusions Based on the object mechanism model of each subsystem of the primary loop control system, this paper applies advanced predictive control algorithms to the core power control system, regulator pressure and liquid level control system. For the strong nonlinearity of the steam generator water level object, a multi-model predictive controller is designed based on the “distance” formula between typical operating points. Finally, through the relationship curve between the various subsystems, the linkage simulation of the entire primary loop system is carried out. The simulation results show that the application of advanced control algorithms to the primary loop system has good control performance and lays a solid foundation for subsequent practical engineering applications.

References 1. Duan, X.-H.: Modeling of PWR Core System and Simulation Study of Its Control System. North China Electric Power University, Beijing (2001) 2. Shi, Y.-J.: Modeling Control and Simulation Software Development of PWR Nuclear Power Plant. Shanghai Jiaotong University, Shanghai (2008) 3. Li-Wei, X.: Research on Fuzzy Control Application of Nuclear Power Plant Control System. Southeast University, Jiangsu (2014)

198

Z.-G. Deng et al.

4. Wang, F.-Y.: Research on Modeling and Control Method of PWR Nuclear Power Plant Power Control System. Southeast University, Jiangsu (2018) 5. Li, S.-Y.: Predictive control of industrial process systems. Contr. Eng. 17(4), 407–415 (2010) 6. Zeng, D.-L., Gao, Y.-K., Yong, H., Liu, J.-Z.: Optimization control for the co-ordinated system of an ultra-supercritical unit based on stair-like predictive control algorithm. Contr. Eng. Pract. 82(1), 185–200 (2019) 7. Zeng, D.-L., Gao, Y.-K., Hu, Y., Liu, J.-Z.: Optimal control of drum boiler unit coordination system based on stepped generalized predictive control. Chinese J. Electr. Eng. 39(16), 4819– 4826+4983 (2019) 8. Deng, Z.-G., Lv, X., Jian, Y.-F., et al.: Application of SDMC based on SCADE in core power control. Autom. Instr. 40(4), 99–102 (2019) 9. Xu, Z.-B.: Modeling Analysis and Control Research of Nuclear Power Plant Voltage Regulator Mechanism. South China University of Technology (2016) 10. Chen, T.-B., Xiao-Bo, F.: Mathematical model optimization and dynamic simulation of PWR regulators. Nucl. Power Eng. 36(6), 125–127 (2015) 11. Qian, H., Zhou, L., Fang, Z.-L.: Research on the decoupling control of the pressure and water level of the PWR nuclear power plant regulator. Nucl. Sci. Eng. 37(1), 5–11 (2017) 12. Qiao, J., Yang, P.: MCP? PID control of steam generator water level of PWR nuclear power plant. Nucl. Sci. Eng. 38(3), 367–374 (2018) 13. Irving, E., Bihoreaux, C.: Adaptive control of non−minimum phase system application to the PWR steam generator. In: Control and Decision Conference, Albuquerque N.H, USA, pp. 274−279 (1980). 19th IEEE Conference on Decision and Control including the Symposium on Adaptive Processes 14. Luo, G.-J.: Research on Parameter Setting of Ladder Predictive Controller. University of Science and Technology of China, Anhui (2006)

Research of SSAE-GPC in Coordinated Control System of Nuclear Power Plant Zhi-Guang Deng(B) , Qian Wu, Bi-Wei Zhu, Xin Lv, Jia-Liang Zhu, Si-Jie Xu, and Xue-Mei Wang National Key Laboratory of Science and Technology on Reactor System Design Technology, Chengdu 610213, China

Abstract. For the problem of poor control effect of conventional PID controllers in complex systems, this paper fully combines the advantages of deep learning in feature extraction, regression prediction, and predictive control in dealing with multivariable, strong coupling and other issues. Firstly, the predictive model controller is constructed through the stacked sparse auto-encoder (SSAE) deep network, and then the stepped generalized predictive control (SGPC) is used as the rolling optimization controller. Thus, the SSAE-SGPC neural network predictive controller is built. Finally, a simulation experiment is carried out in the dual-input dual-output multi-variable coordinated control system of nuclear power plant. Through a series of simulations such as set value disturbance, internal disturbance and external disturbance, compared with conventional PID control, SSAE-GPC controller has better control effect. Keywords: SSAE · SGPC · Coordinated control system · Nuclear power plant

1 Introduction Conventional PID controller is one of the most widely used and basic controllers in process control. It is very effective for the control of linear time-invariant systems, and generally can achieve satisfactory control results. However, PID controller can’t control nonlinear, time-varying and other complex multivariable systems well [1, 2]. The coordinated control system of nuclear power plant is a complex control system with multi-variables, strong coupling and nonlinearity. Due to the needs of actual production and operation, the nuclear power plant has to adjust the load frequently, and the system parameters often deviate from the design conditions. The traditional PID control method is affected by nonlinearity and coupling between loops, and its control performance cannot meet the needs of safe and economic production [3, 4]. Neural network has the ability to express any nonlinear mapping, and can model nonlinear systems [5]. Because of the particularity of network structure, sparse automatic encoder deep network has better effect in mining intrinsic characteristics of objects [6]. The dynamic model of the system is established by using neural network, which can be used for process prediction and parameter optimization as the prediction model of predictive controller [7, 8]. Predictive control has the characteristics of low requirement © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 199–215, 2021. https://doi.org/10.1007/978-981-16-3456-7_21

200

Z.-G. Deng et al.

on model, strong robustness and automatic decoupling [9], while the stepped predictive controller has the advantages of simple principle, convenient on-line debugging and no need to inverse matrix when solving constraints [10]. In this paper, the SSAE-GPC controller is constructed by combining the advantages of deep learning and predictive control. Simulation results show that the controller has superior control performance.

2 SSAE-SGPC 2.1 Sparse Stacking Automatic Encoder (SSAE) Self-encoder (AE) consists of encoder and decoder, in which the input layer and hidden layer together constitute the encoder. After the sample data is fed by the input layer, the coded representation of the data is obtained by the hidden layer, while the hidden layer and the output together constitute the decoder. After the output layer, another representation of the original input data is finally obtained. However, in a considerable number of applications, sparse constraint has better function of feature expression and extraction. Taking a data set containing m samples as an example, the input and output of the i-th data sample are expressed as x and y(i) , w is the weight matrix between the i-th neuron in the l-th layer and the j-th neuron in the l+1 layer, and hWb (x) is the predicted output of the self-encoder model, so its loss function is defined as follows [11]:  sl+1  sl  nl −1  m   2   1  1 λ  (l) 2 (i) (i)  Wji J (W , b) = (1) + hw,b x − y  m 2 2 i=1

l=1 i=l j=1

In formula (1), λ is the regularization coefficient, which is used to suppress the phenomenon of over-fitting. The activation value of neurons is obtained by the following formula.     (2) a(l+1) = f z (l+1) = f w(l) a(l) + b(l) The activation function in this paper uses sigmod function, as shown in the following formula: 1 flog istic (x) = (3) 1 + e−x (2)

If aj represents the activation degree of hidden layer neuron j when the input is x, its average activation degree can be obtained by the following formula: 1  (2)  (i)  aj x m m

ρˆ =

(4)

i=1

In order to obtain sparse representation of data samples, KL divergence is added on s2 

the basis of (1), that is, penalty factor is added KL ρ||ρˆj , Form the final loss function j=1

representation. Jsparse (W , b) = J (W , b) + β

s2  j=1

 KL ρ||ρˆj

(5)

Research of SSAE-GPC in Coordinated Control System

201

 Where β is the control weight of the penalty factor, KL ρ||ρˆj is the sparsity parameter ρ (very small, usually close to 0) and the average activation degree ρˆj is the relative entropy between, which is calculated as follows:  ρ 1−ρ KL ρ||ρˆj = ρ ln + (1 − ρ) ln ρˆj 1 − ρˆj According to formula (6), ρˆ The closer to ρ, the penalty factor

(6) s2

 KL ρ||ρˆj = 0

j=1

The smaller it is, the bigger it is, so the penalty factor can be ρˆj And play a role of punishment when there is a big difference between P and ρ, so as to inhibit some hidden layer neurons. After determining the loss function of sparse automatic encoder, the partial derivative is obtained by BP back propagation algorithm. In a three-layer sparse self-encoder, the error calculation formula of the hidden layer and the output layer is:     (3) (3) (3) (7) δi = − yi − ai f  zi (2) δi

⎡ ⎤     s2  ρ 1 − ρ (2) (3) ⎦f  z (2) =⎣ Wji δj + β − + i ρˆj 1 − ρˆj

(8)

j=1

Then, the optimized and updated weights are obtained by gradient descent method. SSAE network structure diagram shown in Fig. 1.  T ∇W (l) J (W , b; x, y) = δ (l+1) a(l)

(9)

∇b(l) J (W , b; x, y) = δ (l+1)

(10)

reconstruct ion of

reconstruct ion of x

x

reconstruction of

x

softmax

x

Fig. 1. SSAE network structure diagram

x

202

Z.-G. Deng et al.

2.2 SSAE-SGPC 2.2.1 Univariate SSAE-SGPC Same as general predictive control, neural network predictive control includes three parts: predictive model, feedback correction and rolling optimization [12]. Predictive control based on neural network mainly consists of two forms, one is that both rolling optimization controller and predictive model controller use neural network, the other is that rolling optimization controller uses other algorithms (generalized predictive control, etc.), and predictive model controller uses neural network. Considering that the calculation amount of neural network weight correction process is relatively large, and the convergence speed of neural network is also a problem that can not be ignored, in order to fit the engineering practice better, this paper adopts the latter method, and the rolling optimization controller adopts the stepped generalized predictive control algorithm. The prediction model in this paper is realized by SSAE neural network, and its network structure is shown in Fig. 2. y(n-1) y(n-2)

y(n-ny) Ym(n) u(n-1) u(n-2)

u(n-nu)

Fig. 2. Structure diagram of SSAE prediction model

In the neural network predictive control system, the predictive model is realized by multilayer feedforward neural network with delay structure, which is called nonlinear autoregressive moving average (NARMAX) model with external input and can express a large class of nonlinear discrete systems, and its dynamic characteristics can be expressed by the following formula [13]: y(n) = F[(y(n − 1), y(n − 2), · · · y(n − ny )), u(n − 1), u(n − 2), · · · u(n − nu )]

(11)

where y(n) is the process output at time n, and u(n) is the control input at time n. When the network structure shown in Fig. 2 is adopted, taking a typical three-tier structure as an example, its expression can be expressed in detail as follows: ⎫ ⎧ Nhid ⎬ ⎨ wj f1j [netj (n)] + b (12) y(n) = f2 ⎭ ⎩ j=1

Research of SSAE-GPC in Coordinated Control System

netj (n) =

ny 

wj,i y(n − i)+

i=1

nu 

wj,ny +i u(n − i) + bj

203

(13)

i=1

where f2 (•) is the excitation function of the output layer node; f1 (•) is the excitation function of the jth node of the hidden layer; Nhid is the number of hidden layer nodes; nu For about u(•) Number of input nodes of; ny For about y(•) Number of input nodes of; wj is the connection weight from the jth hidden node to the output node; wj,i is the connection weight from the ith input node to the jth hidden node; b is the output node threshold; bj is the jth hidden node threshold. The neural network predictive control algorithm predicts the dynamic characteristics of any input from the current time n to the future n + k through the model of the controlled object: ym (n + k) = f2 (

Nhid 

wj f1j [netj (n + k)] + b)

(14)

j=1 min(k−1,ny )



netj (n + k) =

wj,i yp (n + k − i)+

i=1

+

nu 

 ωj,ny +i

i=1

ny 

wj,i y(n + k − i)

i=k

u(n + k − i), k − i ≤ Nu − 1 + bj u(n + Nu − 1), k − i > Nu − 1

(15)

where ym (n) is the prediction model output at time n, yp (n) is the predicted value after correction. This article f1j (•) use ReLU activation function  0 x≤0 ϕ(x) = (16) x x>0 f2 (•) use linear function φ(x) = x

(17)

In practice, there are often errors between the output of prediction model and the output of process. Therefore, it is necessary to detect the actual output of the object, and use this real-time information to correct the prediction based on the model, and then make a new optimization, then the prediction error at time n is: em (n) = y(n) − ym (n)

(18)

The predicted value after correction is: yp (n + j) = ym (n + j) + hem (n)

(19)

The performance index function used in neural network predictive control is as follows: J =

N2  j=N1

[yr (n + j) − yp (n + j)]2 +

N u −1 j=0

λ(j)[ u(n + j)]2

(20)

204

Z.-G. Deng et al.

where N1 is the minimum prediction time domain; N2 is the maximum prediction time domain; Nu To control the time domain; λ To control the weighting constant, u(n + j) = u(n + j) − u(n + j − 1); h is the error correction coefficient; yr is the reference trajectory, it adopts exponential curve form: yr (n + j) = αri y(k) + (1 − αri )r

(21)

where αri is a smoothing factor for controlling the rising rate of the reference track. r Enter for the system. The purpose of performance index function minimization algorithm is to determine the control sequence U = [u(n), u(n + 1), · · · u(n + Nu − 1)]T . It can be obtained iteratively by Newton-Raphson method by making Jacobian matrix in performance index formula zero. In the iterative process, the intermediate value of j is expressed as J(k), and the intermediate value of u is U (k) = [u(n), u(n + 1), · · · u(n + Nu − 1)]T . Then iterative formula of U (k + 1) is:  U (k + 1) = U (k) −

∂ 2J (k) ∂U 2

−1

∂J (k) ∂U

(22)

where.  T ∂J ∂J ∂J ∂J (k) = , , · · · is Jacobian matrix; ∂U ∂u(n) ∂u(n+1) ∂u(n+Nu −1) ⎡

∂2J (k) ∂U 2

⎢ =⎢ ⎣

∂2J ∂u(n)2

··· .. .

∂2J ∂u(n)∂u(n+Nu −1)

∂2J ∂u(n+Nu −1)∂u(n)

···

∂2J ∂u(n+Nu −1)2

.. .

.. .

⎤

⎥ ⎥ is Hessian matrix. ⎦

In every Newton-Raphson iteration, it is necessary to calculate every element of Jacobian and Hessian matrices. The h element of Jacobian matrix is N2    ∂ym (n + j) ∂J = −2 yr (n + j) − yp (n + j) ∂u(n + h) ∂u(n + h) j=N1

+2

N u −1 j=0

∂ u(n + j) λ(j) u(n + j) h = 0, . . . Nu − 1 ∂u(n + h)

where ∂ u(n + j) ∂u(n + j) ∂ u(n + j−) = − = δ(h, j) − δ(h, j − 1) ∂u(n + h) ∂u(n + h) ∂u(n + h)  δ(h, j) = is Kronecher Delta function.

1 h=j 0 h = j

(23)

Research of SSAE-GPC in Coordinated Control System

205

The m and h elements of Hessian matrix are N2   ∂ym (n + j) ∂ym (n + j) ∂ 2J =2 ∂u(n + m)∂u(n + h) ∂u(n + m) ∂u(n + h) j=N1  ∂ 2 ym (n+j)   − yr (n + j) − yp (n + j) ∂u(n+m)∂u(n+h) +2

N

u −1

λ(j)[δ(m, j) − δ(m, j − 1)][δ(h, j) − δ(h, j − 1)]

j=0

h = 0, . . . Nu − 1, m = 0, . . . Nu − 1 To calculate Jacobian matrix and Hessian matrix, it is necessary to use the first and second derivatives of multilayer feedforward neural network about control input vector, which can be obtained by derivation of u(n + h) by performance index function (20). 2.2.2 Multivariable SSAE-GPC When the neural network predictive control method is extended to multivariable, its NARMAX dynamic characteristic model is: y(n) = F[(y(n − 1), y(n − 2), · · · y(n − ny )), u(n − 1), u(n − 2), · · · u(n − nu )]

(24)

⎤ ⎡ ⎤ u1 (n) y1 (n) ⎥ ⎢ ⎥ ⎢ Where y(n) = ⎣ ... ⎦, u(n) = ⎣ ... ⎦. ⎡

yp (n) um (n) P and m are the number of input and output variables respectively, and the prediction error is: e(n) = y(n) − ym (n) where

(25)

⎤ ⎤ ⎡ ym1 (n) e1 (n) ⎥ ⎥ ⎢ ⎢ e(n) = ⎣ ... ⎦, ym (n) = ⎣ ... ⎦ ⎡

ep (n)

ymp (n)

The performance index function is: J=

p  i=1

(W i − Y i )T (W i − Y i ) +

m 

λ(j) U Tj U j

j=1

Where W Ti = [wi (n + N 1 (i)), · · · wi (n + N 2 (i))]   Y Ti = yi (n + N 1 (i)), · · · yi (n + N 2 (i))

(26)

206

Z.-G. Deng et al.

  U Tj = uj (n) − uj (n − 1), · · · uj (n + N u (j)) − uj (n + N u (j) − 1) N 1 and N 2 are prediction time domain vectors, i is the corresponding input parameter, W is the reference track, U is the variation of the control quantity. Its structure diagram is shown in the following Fig. 3.

System input

+

Reference track

-

Rolling optimizatio n controller

Charged object

Neural network prediction model

+

-

Feedback correction

Fig. 3. Schematic diagram of neural network predictive control

3 Coordination System Control Based on SSAE-GPC 3.1 Coordinated System Model of Nuclear Power Plant The coordinated controlled object of nuclear power plant is a controlled object with two inputs and two outputs, and the input and output of the controlled object are interrelated and coupled. In PWR nuclear power plant, main steam pressure and turbine load constitute coordinated controlled object, as shown in Fig. 4. The input of the controlled object is the opening of the steam turbine valve ut . And control rod displacement uz , The output of the controlled object is the main steam pressure ps And turbine power Ne .

uz

G11(s)

ps

+ +

G21(s)

G12(s)

ut

+ G22(s)

+

Ne

Fig. 4. Schematic diagram of coordinated control system of nuclear power plant

In this paper, based on the simulation data of a 900 MW PWR nuclear power plant model [14–16], the dynamic transfer function model of the coordinated control system

Research of SSAE-GPC in Coordinated Control System

207

of PWR nuclear power plant is obtained by fitting the experimental data with the least square method. Transfer function of control rod displacement-main steam pressure: its dimension is (Mpa/cm) G11 (s) =

0.00036 −5s ps (s) = e uz (s) 1 + 18s

(27)

Control rod displacement-turbine power transfer function: its dimension is (MW/cm) G21 (s) =

Ne (s) 0.292 = e−5s uz (s) (1 + 18s)(1 + 12s)

(28)

Valve opening-main steam pressure transfer function: its dimension is (MPa/%) G12 (s) =

ps (s) −0.0435 = ut (s) 1 + 5s

(29)

Valve opening-turbine power transfer function: its dimension is (MW/%) G22 (s) =

42s Ne (s) = ut (s) (1 + 5s)(1 + 12s)

(30)

To sum up, the transfer function matrix of nuclear power plant coordination control object can be obtained as follows: ⎤  ⎡ u ps G11 (s) G12 (s) ⎦ z = =⎣ Ne ut G21 (s) G22 (s) (31) ⎤ ⎡ −0.0435 0.00036 −5s u e z 1+18s 1+5s ⎦ ⎣ 42s 0.292 ut e−5s (1+18s)(1+12s)

(1+5s)(1+12s)

3.2 SSAE-GPC Model Prediction The input of control rod position is a random number between 0 and 80, and the corresponding main steam pressure output value and steam turbine power output value are calculated by transfer function. Meanwhile, the input of valve opening is a random number between 0 and 10, and the corresponding main steam pressure output value and steam turbine power output value are calculated by transfer function. Among them, 1000 sets of data are selected as training samples and 200 sets of data are selected as test samples. The network fitting curves of training samples and test samples of SSAE and optimized BP neural network are shown in Fig. 5, 6, 7 and 8, in which BP neural network adopts optimization measures such as regularization, exponential attenuation of learning rate and moving average of parameters. The network structure of SSAE and optimized BP network is 11 × 23 × 9 × 1, the learning rate is 0.0001, and the optimization function is Adam. The learning rate exponential decay rate of BP network is 0.99, and the parameter moving average decay rate is 0.99.

208

Z.-G. Deng et al. train samples 0.02 BP SSAE yk

Ps/MPa

0.018 0.016 0.014 0.012 0.01

0

200

400

600

800 time/s

1000

1200

1400

test samples

0.02

BP SSAE yk

0.018 Ps/MPa

1600

0.016 0.014 0.012 0.01

0

50

100

150

200 time/s

250

300

350

1

BP SSAE

0.8 loss

400

loss value

0.6 0.4 0.2 0

0

200

400

600

800

1000 epochs

1200

1400

1600

1800

2000

Fig. 5. Training, testing and error curve of control rod displacement-main steam pressure object train samples

14

BP SSAE yk

Ne/MW

13 12 11 10 9

0

200

400

600

800 time/s

1000

1200

1400

test samples

13

BP SSAE yk

12 Ne/MW

1600

11 10 9

0

50

100

150

200 time/s

250

300

350

1

BP SSAE

0.8 loss

400

loss value

0.6 0.4 0.2 0

0

500

1000

1500

2000

2500 epochs

3000

3500

4000

4500

5000

Fig. 6. Training, testing and error curve of control rod displacement-steam turbine power object

Research of SSAE-GPC in Coordinated Control System train samples

-0.1

BP SSAE yk

-0.15 Ps/MPa

209

-0.2 -0.25 -0.3 -0.35

0

200

400

600

800 time/s

1000

1200

1400

1600

test samples

-0.1

BP SSAE yk

Ps/MPa

-0.15 -0.2 -0.25 -0.3

0

50

100

150

200 time/s

250

300

350

400

loss value

1

BP SSAE

loss

0.8 0.6 0.4 0.2 0

0

500

1000

1500

2000

2500 epochs

3000

3500

4000

4500

5000

Fig. 7. Training, testing and error curve of valve opening-main steam pressure object train samples

10

BP SSAE yk

Ne/MW

5 0 -5 -10

0

200

400

600

800 time/s

1000

1200

1400

10

BP SSAE yk

5

Ne/MW

1600

test samples

0 -5 -10

0

50

100

150

200 time/s

250

300

350

loss value

1

BP SSAE

0.8

loss

400

0.6 0.4 0.2 0

0

1000

2000

3000

4000

5000 epochs

6000

7000

8000

9000

10000

Fig. 8. Training, testing and error curve of valve opening-steam turbine power object

210

Z.-G. Deng et al.

Frechet Distance is a kind of description method to judge the similarity of two curves based on the space path similarity. According to the space distance of the path, to make more efficient evaluate on the similarities of two spatial temporal curves. Tuple (S, d) is a measurement space, where d is the measurement function of S. A and B are two continuous curves in S, which means A:[0, 1] → S, B:[0, 1] → S. Assume that αandβare two re-parameterization functions, which means that α:[0, 1] → S, β:[0, 1] → S, then the Frechet Distance F(A, B) of the curve A and B is defined as below: F(A, B) − inf max {d (A(α(t)), B(β(t)))} α,β t∈[0,1]

(32)

According to above distance, the calculation results of the physical DCS and Simulink platform are in below table. By calculating the Frechet distance between BP prediction results, SSAE prediction results and real data, the superiority of both networks can be analyzed by quantitative deviation calculation (Table 1). Table 1. Frechet distance of the two imitation results Transfer funtion Frechet distance BP

SSAE

G11

0.0957

0.0517

G21

0.00759

0.00643

G12

0.00630

0.00171

G22

0.00763

0.00146

4 Simulation Verification 4.1 Setpoint Disturbance Simulation During the operation of nuclear power plants, it is sometimes necessary to adjust the set value of incident power according to the grid load, optimize the steam quality and adjust the main steam pressure. At this time, when the control system acts, it quickly adjusts the controlled quantity to the set value and maintains stability. When the set value of main steam pressure increases by 1 MPa, the controlled quantity curve is shown in Fig. 9 and the controlled quantity curve is shown in Fig. 10. It can be seen from Fig. 9 and Fig. 10 that when the set value of main steam pressure increases, the main steam pressure output curves of SSAE-GPC controller and PID controller quickly track to the set value, and the pressure curve controlled by SSAEGPC has faster rising speed, shorter stabilization time and smaller overshoot. When the main steam pressure is adjusted, the actual power is stable at the initial value after a period of time.

Research of SSAE-GPC in Coordinated Control System

211

1.5

Ps/MPa

1

Ps-SP Ps -SSAE GPC Ps-PID

0.5 0 -0.5

0

50

100

150

200 250 time/s

300

350

450

400

Ne/MW

20 0

Ne-SSAE GPC Ne-PID

-20 -40

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 9. Controlled quantity curve when the set value of main steam pressure increases by 1 MPa

uz/cm

100

uz-SSAE GPC uz-PID

50 0 0

50

100

150

200 250 time/s

300

10

400

450

ut-SSAE GPC ut-PID

0

ut/%

350

-10 -20 -30

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 10. Curve of control quantity when the set value of main steam pressure increases by 1 MPa

Figure 11 and Fig. 12 are simulation curves when the set value of steam turbine power load increases by 5 MW. It can be seen from the figures that when the set value of actual power increases, the power curve controlled by SSAE-GPC reaches the set value before the conventional PID power curve and remains stable. At the same time, when the power is adjusted, the main steam pressure basically does not fluctuate and remains at the original set value.

212

Z.-G. Deng et al.

Ps/MPa

0.1 Ps -SSAE GPC Ps-PID

0.05 0 -0.05 -0.1

0

50

100

150

200 250 time/s

300

Ne/MW

400

450

Ne-SP Ne -SSAE GPC Ne-PID

10 5 0

350

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 11. Controlled quantity curve when steam turbine power set value increases by 5 MW

uz/%

20 uz-SSAE GPC uz-PID

10 0 -10

0

50

100

150

200 250 time/s

300

400

450

ut-SSAE GPC ut-PID

0.4 ut/%

350

0.3 0.2 0.1 0

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 12. Control curve when the steam turbine power set point increases by 5 MW

4.2 Internal Disturbance Simulation In the process of nuclear power plant operation, the control function may be affected by unknown factors, which will change the control quantity and affect the performance of the control system. When there is internal disturbance, the control system can quickly eliminate the influence caused by the internal disturbance and make the output of the controlled quantity return to the original set value. At 50 s, the internal disturbance with the displacement of control rod increasing by 10 cm is introduced. The simulation curves are shown in Fig. 13 and Fig. 14. It can be seen from the figure that when the position of control rod is disturbed by the internal disturbance, the position of control rod returns to the initial value after a period

Research of SSAE-GPC in Coordinated Control System

213

of adjustment, so that the output curve of real power returns to the original value, while the output curve of main steam pressure does not change significantly. It can be seen from the simulation that SSAE-GPC can quickly adjust the output of the control variable when the system has internal disturbance, so that the output of the control variable returns to the original level, eliminating the influence of the disturbance of the control variable on the controlled variable and having better anti-internal disturbance ability. 15 uz-SSAE GPC uz-PID

uz/%

10 5 0 -5

50

0

100

150

200 250 time/s

300

350

400

450

4 ut-SSAE GPC ut-PID

ut/%

3 2 1 0

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 13. Curve of control quantity when the displacement of control rod increases by 10 cm due to internal disturbance

Ps/MPa

0.1 Ps -SSAE GPC Ps-PID

0.05 0 -0.05 -0.1

0

50

100

150

200 250 time/s

300

350

400

450

Ne/MW

4 Ne -SSAE GPC Ne-PID

2 0 -2

0

50

100

150

200 250 time/s

300

350

400

450

Fig. 14. Controlled quantity curve when control rod displacement increases by 10 cm due to internal disturbance

214

Z.-G. Deng et al.

4.3 External Disturbance Simulation In addition to internal disturbances, the controlled quantities will be affected by external disturbances during the operation of nuclear power plants. When external disturbances occur, the control system can quickly eliminate the influence of external disturbances on the controlled quantities and keep the controlled quantities at the original set value level. Figure 15 and Fig. 16 are simulation curves when the main steam pressure increases by 0.1 MPa due to external disturbance. It can be seen from the figure that when the main steam pressure is affected by external disturbance, the control output changes rapidly to adjust the opening of the main steam valve and adjust the control rod position, so that the main steam pressure quickly returns to the original set value. 0.2

Ps -SSAE GPC Ps-PID

Ps/MPa

0.1 0 -0.1

0

50

100

150

200 250 time/s

300

Ne/MW

4

350

400

450

Ne -SSAE GPC Ne-PID

2 0 -2 0

50

100

150

200 250 time/s

300

350

400

450

Fig. 15. Controlled quantity curve when main steam pressure increases by 0.1 MPa due to external disturbance 2

uz/%

0 uz-SSAE GPC uz-PID

-2 -4 -6 -8

0

50

100

150

200 250 time/s

300

350

400

450

3

ut/%

2

ut-SSAE GPC ut-PID

1 0 0

50

100

150

200 250 time/s

300

350

400

450

Fig. 16. Conclusion of control curve 4 when main steam pressure increases by 0.1 MPa due to external disturbance

Research of SSAE-GPC in Coordinated Control System

215

5 Conclusion In this paper, the SSAE-SGPC controller is built by fully combining the advantages of SSAE’s nonlinear object mapping and SGPC’s control, which is verified by simulation in the coordinated control system of nuclear power plant. From the results of object regression prediction, it can be seen that SSAE has better prediction effect than the optimized BP neural network. At the same time, simulation experiments such as main steam pressure and turbine power set point disturbance, control rod internal disturbance and main steam pressure external disturbance show that SSAE-SGPC has faster response speed than conventional PID.

References 1. Wang, L., Song, W.-Z.: PID control. Autom. Instr. (04), 3–8 (2004) 2. Shen, Y.-F., Wu, S.-J., Deng, F.-L.: Summary of intelligent PID control. Ind. Instr. Autom. (06), 11–13+24 (2002) 3. Shi, X.-C., Xin, C.-D., Bian, X.-Q., Lu, Y.-L.: Research on intelligent coordinated control strategy of marine power plant. Ship Eng. (02), 18–20+2 (1997) 4. Li-Wei, X.: Research on the Application of Fuzzy Control in Nuclear Power Plant Control System. Southeast University, Jiangsu (2014) 5. Wang, X.-X., Xu, L.-H.: Research on short-term traffic flow prediction based on deep learning. Transp. Syst. Eng. Inf. 18(1), 81–88 (2018) 6. Sun, W.-J., Shao, S.-Y., Yan, R.-Q.: Induction motor fault diagnosis based on sparse automatic coding deep neural network. J. Mech. Eng. 52(9), 65–71 (2016) 7. Zhu, J.-C., Yang, Z.-L., Guo, Y.-J., et al.: Overview of the application of deep learning in power load forecasting. J. Zhengzhou Univ. (Eng. Sci. Edn.) 40(5), 12–21 (2019) 8. Yi, L.-Z., Chang, F.-M., Long, G.-Z., et al.: Applied research on short-term load forecasting based on evolutionary deep learning. J. Electr. Power Syst. Autom. 32(3), 1–6, 13 (2020) 9. Li, S.-Y.: Predictive control of industrial process systems. Control Eng. 17(4), 407–415 (2010) 10. Zeng, D.-L., Gao, Y.-K., Yong, H., Liu, J.-Z.: Optimization control for the co-ordinated system of an ultra-supercritical unit based on stair-like predictive control algorithm. Control Eng. Pract. 82(1), 185–200 (2019) 11. Zhu, C.: Study on the capability of expressing features of stacked self-encoders. Telecommun. Express (3), 28–33 (2019) 12. Liu, J.-B., Sun, W., Zhang, X.-X., et al.: Feed-forward decoupling strategy for control models applied in multivariable predictive control engineering. Control Decis. 34(5), 1094–1102 (2019) 13. Luan, X.-C., Li, S.-Y.: Study on multi-model predictive control of superheated steam temperature based on local neural network model. Chinese J. Electr. Eng. 24(8), 190–195 (2004) 14. Zhao, J., Liu, D.-C., Yao-Wen, W.: Modeling of access power system of PWR nuclear power plant. Proc. CSEE 29(31), 8–13 (2009) 15. Zhao, J., Liu, D.-C., Xiong, L., et al.: Dynamic response simulation of nuclear power plant based on PSASP custom model. Nucl. Power Eng. 31 (3), 113–117, 142 (2010) 16. Wang, B.-S., Wang, D.-Q., Zhang, J.-M., et al.: Real-time simulation study on steam emission control system of PWR nuclear power plant. Nucl. Power Eng. 32(5), 38–44 (2011)

Reliability Verification Scheme for Safety Class DCS and Its Implementation in Nuclear Power Plant Ming-ming Liu, Yang Chen(B) , Xian-jian He, and Biao Xu Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China

Abstract. System Availability, Rejection rate and Malfunction rate are vital technical indicators for safety class DCS when evaluating the reliability of the control system to meet technical requirements. This trend has attracted great attention of equipment manufacturers, regulatory agencies and users. Since there is no relevant standards or norms to guide the restriction at this stage, there is no unified verification idea in the industry. Although domestic and foreign equipment enterprises have tried relevant verification research, it still remains at the level of theoretical analysis and the confidence is not high. In the research of test method, if the traditional test simulation method is used for index verification, it often requires a lot of manpower, material resources and time. Therefore, this method is also regarded as inoperable, so it has not been able to form a reasonable and mature test of the verification scheme for a long time. Based on the general principle of reliability analysis, this paper makes a comparative analysis of the objects of reliability test, and proposes a reliability analysis verification and implementation scheme of safety class DCS. Keywords: Safety class DCS · Reliability index · Scheme verification · Implementation method

1 Introduction With the advancement of the 13th Five-Year Plan, the Chinese National Development and Reform Commission has further optimized the industrial layout and the nuclear power technology headed by Hualong One has developed rapidly. At the same time, the safety of nuclear power plants is very important because nuclear power plant accidents will cause irreparable damage to the surrounding environment. The safety class DCS is the axis of the nuclear power plant, by monitor the key operating parameters and performs corresponding safety protection functions, to ensure that the nuclear power plant is in a safe state when the nuclear power plant is in operation or shutdown. When the value of the key process parameters of the nuclear power plant exceeds the design datum, the safety class DCS will output a drive command through voting logic to drive the corresponding shutdown circuit breaker or equipment to complete a series of protection actions. Those protection actions can always avoid or reduce the © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 216–225, 2021. https://doi.org/10.1007/978-981-16-3456-7_22

Reliability Verification Scheme for Safety Class DCS

217

damage of the core and reactor coolant system equipment and keep the reactor in a safe and controllable state. Therefore, the safety class DCS must be in a reliable state in operation all the year round, the high reliability of the safety class DCS in the nuclear power plant is vital.

2 Reliability of Safety Class DCS Safety class DCS reliability refers to the ability of the system to perform specified functions under specified conditions and within specified time; and it is an important index to evaluate system performance [1]. The reliability of safety class DCS mainly includes three technical indexes: rejection rate, malfunction rate and availability [5]. Refusal refers to the DCS’s failure to output instructions as expected when the relevant process parameters of the reactor exceed the threshold due to its own unpredictable faults, leaving the reactor in an uncontrollable state. Misoperation refers to the fact that the relevant process parameters of the reactor are within the safety limit, and the DCS outputs the wrong driving instructions of the equipment, which reduces the operation efficiency of the reactor, causes fluctuations to the downstream power grid of the nuclear power plant, and affects the economic efficiency of the nuclear power plant. Moreover, availability refers to the ability of safety class DCS to continue to work normally without losing its functions and performance. It is an important indicator to measure the maintainability and reliability of the system. During the overall design of the whole plant equipment of the nuclear power plant, specific requirements will be put forward for the reliability technical indexes of the safety class DCS. The reliability technical indexes of a nuclear power plant for the safety class DCS are shown in Table 1. Table 1. Requirements for reliability technical indexes of a safety class DCS in a nuclear power plant System name

System availability

Rejection rate (/command)

Malfunction rate (times/year)

Protect Channel Group (RPC)

>0.9999

46 years.

Reliability Verification Scheme for Safety Class DCS

221

According to the single fault criterion, the RPC system will only malfunction when two or more independent protection channels malfunction or common cause failure occurs at the same time. The relationship between the malfunction rate SFRRTS sin gle of Single Channel in RPC System and the overall malfunction rate parameters of RPC     RTS 2 RTS system is as follows: SFRsin gle × MTTR ·β +C4 ·[ SFRsin gle × MTTR ·(1 − β)]2 < 0.1 times/year × MTTR, in which MTTR = 4 h, and the system common cause failure factor of two-out-of-four logic β = 0.6%, the calculation shows that SFRRTS sin gle < 5.07 times/year (i.e. 0.423 times/month). The calculation method of the reliability parameter of the malfunction rate is as follows λ = − Inα T (α = 1 − Confidence), where λ = SFRRTS < 0.423 times/month. Through calculation, it can be concluded that the overall sin gle malfunction rate requirement of RPC system is decomposed into an independent single channel, which obviously shortens the test execution time. The specific data comparison is shown in Table 3. Table 3. Comparison of test time of RPC system malfunction rate Confidence (α) RPC system RPC independent protection channel 90%

23 years

5.44 Months

95%

30 years

7.10 Months

99%

46 years

10.90 Months

In the ESFAC system, when any independent subgroup misoperates or common cause failure occurs, the ESFAC system will misoperate. The relationship between the the ESFAC system malfunction malfunction rate of the single subgroup SFRESFAS sin gle and   ESFAS rate parameters is as follows: SFRsin gle × MTTR · β + C41 · SFRESFAS sin gle × MTTR · (1 − β) < 0.1 times/year × MTTR, where MTTR = 4 h, the common cause failure factor of the one-out-of-two logic β = 1%, and the calculation results are as follows: Inα ESFAS SFRESFAS sin gle < 0.025 times per year. Based on malfunction rate λ = SFRsin gle = − T (α = 1-confidence), calculate the reliability parameters as follows: when the confidence is 90%, the test time T > 92.2 years; when the confidence is 95%, the test time T > 119.9 years; and when the confidence is 99%, the test time T > 184.3 years. After the malfunction rate of ESFAC system is decomposed into single subgroups, the test time is not shortened and the analysis and verification method is not suitable. 3.3 Availability Verification Scheme of Safety Class DCS MTBF . Its data are directly related to the Availability calculation formula is A = MTBF+MTTR system mean time between failure (MTBF) and mean time to repair (MTTR). Nuclear power plants require MTTR < 4 h, and MTBF > 39996 h can be calculated. Availability verification of a safety class DCS requires a minimum of 39,996 h of continuous system operation, i.e. 4.56 years, and an MTTR of not more than 4 h. For a single protection channel, the unavailability of the channel caused by refusal or misoperation will not lead to the unavailability of the entire RPC system. As long as three

222

M. Liu et al.

or more independent protection channels are available, the entire RPC system will be effectively available. In the calculation formula, we set the availability of separate single overall availability requirements channels for RPC systems to ARTS sin gle , combined with the   4 RTS 4 3 1 − ARTS ) of the system, it can be concluded that C43 · (ARTS sin gle sin gle + C4 · (Asin gle ) > 0.9999. The following calculation of the availability probability of the independent RTS protection channel ARTS sin gle > 0.9959, resulting in MTBFsin gle > 971.7 h, or 40.5 days of continuous testing, can verify the availability of a single protection channel. The analysis and verification of independent protection channels can obviously shorten the test execution time. The ESFAC system is one-out-of-two logical, misoperation of a single independent subgroup will make the ESFAC system unavailable. Only when the four independent subgroups are available, the ESFAC system will be available. Set the availability parameters of the ESFAC system single subgroup AESFAS sin gle . Combined with the overall avail4 ability requirements of the system, it is concluded that C44 · (AESFAS sin gle ) > 0.9999 with the availability probability of the independent single subgroup AESFAS sin gle > 0.99998, and ESFAC > 159994.3 h, about 6667 days. Therefore, the analysis and verification of MTBFsin gle independent single subgroups cannot shorten the test time. According to the architecture of safety class DCS, the overall reliability technical indexes of the system are analyzed, which overcomes the problem that the overall reliability technical indexes of DCS are difficult to be verified as a whole system, reduces the scale of verification objects, shortens the verification time of some indexes, and greatly increases the feasibility of verification.

4 Implementation of Reliability Verification Scheme of Safety Class DCS Based on the above verification scheme, using the hardware resources of the design and manufacturing unit, an engineering prototype composed of two cabinets is built as the test object. The RPC independent single channel can be verified with rejection rate, malfunction rate and usability, and the ESFAC independent single subgroup can be verified with rejection rate, thus proving the overall reliability of the system [6]. The simulation test device is used to simulate the on-site sensor and inject signals into the RPC-A channel. The RPC-A can repeatedly output shutdown protection signals and PLM-A can repeatedly output safety equipment drive signals by repeatedly changing the parameter values of the injected RPC-A single channel between normal values and trigger thresholds [7]. At the same time, the test simulation device simulates the shutdown circuit breaker and safety drive equipment, collects the signals output by DCS, compares the collected signal values with the expected values, and verifies whether there is any refusal or misoperation of the system. Availability verification reads and records the running state and time of RPC channel on the upper computer by testing the interface between the simulation device and DCS. The connection diagram between the test simulation device and DCS is shown in Fig. 4 below. When the input signal of RPC-A jumps from the normal value to the threshold value, the shutdown output signal and the drive signal of the safety drive device also jump to

Reliability Verification Scheme for Safety Class DCS

223

Fig. 4. Schematic diagram of connection between test simulator device and DCS

the trigger state to verify whether the operation is rejected. When the input signal jumps to the normal value and remains for a period of time, the shutdown output signal and the drive signal of the safety drive equipment remain in an untriggered state, and whether there is misoperation can be verified during this period of time; During operation, the upper computer carries out surveillance on the working state of the controller and verifies the availability of the system. Through the analysis of the waveform of the injected signal and the output signal during the execution of the test activities, the test resources can be effectively utilized. Accordingly, the sample quantity of verification can be increased, and the confidence of the actual verification results can be improved. At the same time, the usability test also reaches the acceptable expected time. The test waveform diagram of malfunction rate superimposing rejection rate is shown in Fig. 5. After the safety class DCS is put into operation, the process operation parameters of multiple groups of reactors will be continuously collected, and different parameters will simultaneously carry out different protection logic operations in the DCS. In order to fully verify the engineering prototype, the analog signal input by the test simulator includes all the process parameters of DCS, and adopts the strategy of triggering multiple protection logics in turn and triggering multiple protection logics at the same time to restore the actual operation condition.

224

M. Liu et al. Rejection test

Misoperation test



Fig. 5. Waveform diagram of refusal-misoperation test

The actual verification execution phase lasted for a total of 6 months, of which 107 rejection rate tests were carried out on RPC independent single channel, with confidence above 99%. The malfunction rate was tested for 5.5 months, and the confidence level was above 90%. The usability test lasted 5.5 months, meeting 99.99% of the requirements. The probability of refusing to move was tested 4 × 106 times for ESFAC independent single subgroup, and the confidence level was above 99%. To meet the requirements of DCS decomposition and verification, the test process data can be used as the data basis for subsequent iterative development [6].

5 Conclusion The system rejection rate, system maloperation rate, and system availability of the safety class DCS are verified by this method. The sub-value of safety class DCS test verification is relatively large, which requires months or even decades of test data as support, with the test being a continuous process and cannot be interrupted or accumulated. These conditions have extremely strict requirements on manpower and material resources, and the verification activities lack feasibility, which is not conducive to the iterative development of DCS. In order to solve this problem, the research starts from the feasibility of the reliability verification activity of the security level DCS. The security level DCS follows the logic of the RPC system and the ESFAC system, Furthermore, the whole reliability index of the system is decomposed into independent channels of RPC and independent subgroups of ESFAC, to reduce the execution time of verification for RPC system rejection rate, malfunction rate, availability, as well as the probability of ESFAC system rejection, from decades to an acceptable verification time range. This method also reduces the verification scale from nearly 100 cabinets to 2, thus improves the feasibility of reliability verification, and provides a constructive idea for reliability verification, and ultimately promotes the stable and orderly development of the whole platform development and iteration.

Reliability Verification Scheme for Safety Class DCS

225

References 1. Li, L.: Handbook of Reliability Engineers. Renmin University of China Press, Beijing (2012) 2. State Bureau of Quality and Technical Supervision: GB/T 9225-1999 General Principles for Reliability Analysis of Safety Systems in Nuclear Power Plants. China Standard Publishing House, Beijing (1999) 3. International Electrotechnical Commission: IEC 61508-2010 functional safety of electronic/electronic/programmable electronic safety-related systems. IEC Central Office, Geneva (2010) 4. Ma, Q., Luo, Q., Song, X., et al.: Common cause failure analysis of digital safety class DCS emergency shutdown system. Nucl. Power Eng. 39(3), 95–99 (2018) 5. Peng, Y., Hu, Q., Wu, L., et al.: Application of reliability design in the development of safety class DCS in nuclear power plants. Instrument Users 25(4), 75–78 (2018) 6. Xu, B., Liu, X., Han, W., et al.: Analysis and calculation of reliability parameter test scheme for safety class DCS in nuclear power plant. Instrument Users 25(11), 86–88 (2018) 7. Chen, Z., Chen, Y., He, X., Wang, X., et al.: Plant test of safety level digital control system for nuclear power plant. J. Shanghai Jiaotong Univ. (S1), 20–25 (2018) 8. Liu, Y., Liu, M., Lei, M., Yang, R., et al.: Review and prospect of safety DCS “Dragon scale system”. China Nucl. Power (5), 537–541 (2019)

An Ergonomic Analysis of Main Control Room Console in Nuclear Power Plant Based on Jack Yu-Tong Li(B) , Ming-Ming Liu, Qing-Huai Huang, Nan Gao, Guan-Ron Liu, and Mao Zhou Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China

Abstract. In the process of human factor design and preliminary verification of the control room console in Nuclear Power Plant, traditional 2D human model design and analysis method is commonly used. However the results turn to be inaccurate and time-consuming. With the help of human simulation tool Jack, quick and precise analysis can be achieved. This paper puts forward the human factor engineering analysis of main control room console in nuclear power plant based on Jack including the visibility, accessibility, and collision detection. By comparing this method with traditional 2D design, conclusion can be drawn that Ergonomic Analysis of main control room console Based on Jack is more comprehensive and accurate, thus largely increasing the design efficiency and quality. Keywords: Nuclear power plant · Human factor engineering · Human simulation · Ergonomic analysis

1 Introduction The main purpose of human factor engineering is to achieve the best combination of human, machine and environment. The common way is to analyze the Human Machine System (HMS), that is to say, to judge whether the HMS conform to the physical and psychological feature of the user. The very beginning of Ergonomic Analysis is to observe plentiful cases of how the testers interacted with the tasks and products. Although the result is true and credible, the method took a lot of time and money [1]. Since 1980s, the application of computer simulation in product industry has made it popular to use the computer simulation software to analyse human factor design. Computer simulation not only can save over 50% time and money but also can get a similar result compared to the real case observing method. The main control room (MCR) console in Nuclear Power Plant (NPP), as a vital human machine interface, the design of its dimension should consider human factor engineer requirements to increase the ergonomic of the whole HMS. The most effective way is to gather around designers from multi-disciplinary fields to collaborate at the beginning of NPP MCR human factor design. Whereas, the common way is to build a woody Mock-up (1:1 model) after the design plan had already been done, and invite © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 226–238, 2021. https://doi.org/10.1007/978-981-16-3456-7_23

An Ergonomic Analysis of Main Control Room

227

experts from different fields together to make a final assessment. If some human engineering discrepancies (HFDs) were identified, product design modification is inevitable. To get back to the design process is time consuming, and still cannot analyze human factor during the design process. Based on computer simulation technology, human factor analysis could be brought up to the plan design phase. Combined with VR tool, traditional linear design process can be changed to cyclic iteration, which can largely increasing the design efficiency and quality.

2 Human Body Simulation Software The development of computer design started early in automobile industry. In the trend of computerized automobile R&D, in 1980s, 3D digital body modeling system based on computer-assisted human machine engineering has gradually become hot spot. Various of human body modeling software were invented. German Automotive Technology Research Group cooperated with many other companies to develop modern computer human body model, launching RAMSIS in 1988, which has already been used in BMW automobile design. The British human body model system SAMMIE have been widely applied in industrial field. Jack model system, developed University of Pennsylvania in American, has found utilization in automobile companies like Ford, TOYOTA. With the development and well-known of computer simulation technology, 3D digital modeling began to be applied to other scenes such as activity simulation in aviation and aerospace, design of Boeing aircraft, maintenance interference check etc. [2]. However, in the ergonomic design of control room in NPP, The 3d digital virtual human model is seldom used in the process of human factor design and preliminary verification, the traditional 2D human model design and Mockup verification are still generally preferred. On the one hand, because the operation of nuclear power plant is mainly mental work, the operator’s movement range is limited, and the operation posture and movements are relatively fixed and simple, which has little influence on the physical fatigue of human body. Therefore, the simulation accuracy of posture, joint and stress of human body model is less required. On the other hand, before the advent of VR technology, Mockup verification was always an essential method to verify the human factor design of console. All theoretical analysis needed to be carried out by the actual feelings and scoring of operators and experts, so the importance of preliminary simulation verification was often ignored. 2.1 Comparison of Human Body Modeling Simulation Software The following is a brief analysis and comparison of the human 3D simulation software: DELMIA human-machine module, Anybody, RAMSIS, Jack, etc., which is commonly used at present. DELMIA is used for digital manufacturing, DELMIA human-machine module is a sub-module of DELMIA, which can build different human body model according to user requirements, and can simulate various main working movements of human body, as well as the comfort degree and range of activities of human under different working postures. Ergonomics Design & Analysis provides tools related to human workload and

228

Y.-T. Li et al.

Table 1. Comparison of several commonly used human body modeling simulation software DELMIA human-machine module

Anybody

RAMSIS

Company

Dassault Systeme, France

Anybody Technology, biomedical engineering R&D group at Aalborg University, Denmark

University of University of Pennsylvanis, Kaiserslauteng Siemens Industrial Software Co. TECMATH LTD joined with University of Munich, Germany

Data base

P5, P50, P95 male and female digital body model base are provided with flexibility to change feature size

The typical Chinese Anthropometry and bone-muscle system modeling database are included

Eight countries including: China, America, Japan, Korea etc.

Environment Combine construction upstream CAD design data with field resources (2D/3D)

Jack

ANSUR, ASIAN_INDIAN_NID97, CDN_LF_97, GERMAN, CHINESE, JAPANESE_2006,KOREAN_2003, NA_AUTO, NHANES

Output CAD CAD modules Objects can be imported from CAD data Formats can be directly programs, can directly open Vis (.jt) of Simpleware, imported files and can import Vis (.jt), Solidworks VRML 2.0 (.wrl), IGES(.igs,.iges), Pro/E,UG are stereolithography (.stl), inventor supported (.iv), and optimizer (.csb) files directly

Ergonomic analysis

visibility, Biomechanics accessibility, maintainability, manufacturability and Optimize efficiency

Auto-calculate the most comfortable driving posture

Measuring The Occupant Packaging Toolkit (OPT) Visual Fields Analysis The Task Analysis Toolkit (TAT)

Application

Apply to verify the procedures in the whole process of production plan, manufacturing industry

Mainly apply to automobile industry, to evaluate the efficiency of the driver

To evaluate the sub tension layout problems in working area

To analyze stress and deformation state of bones and joints of human body

human factors analysis, and helping users to understand and optimize the relationship between the human and the products or resources that produced, installed, operated and maintained by them. Whereas, aiming at the analysis of human factors in the production process, it is not applicable to the design requirements of the main control room in nuclear power plant. Anybody is a simulation software with high degree of anatomical details, the model of skeletal muscle system based on anthropometry parameters (more than 1000 muscles elements and the entire bones model elements), focusing on the joints, muscles, sports,

An Ergonomic Analysis of Main Control Room

229

output support dynamics simulation software ADAMS, mainly used in the analysis of the human body skeleton, institutions and state of stress and deformation of joints. And it’s not applicable to the design requirements of main control room panel in nuclear power plant. RAMSIS is mainly used in the automotive industry to analyze cockpit personnel performance, such as visibility, operating power, accessibility and comfort, which do not meet the design requirements of the consoles in main control room in NPP. Comparison of several commonly used human body modeling simulation software was shown in Table 1. In consideration of the requirements and characteristics of the main control room console ergonomic design analysis, Jack 3D simulation software was selected for static and dynamic ergonomic analysis of the main control room in nuclear power plant. 2.2 Jack Simulation Software Jack was first developed in 1995 as a research project of Human Modeling and Simulation Center at the University of Pennsylvania. This software supports users to define precise digital human bodies of different sizes in the virtual environment, and then define them to complete the specified tasks and analyze the corresponding feelings, so as to help users quickly design products which satisfy human factors engineering requirements [3]. Jack’s basic functions include construction of virtual environment, construction of digital human body, definition of human size, positioning of human body in virtual environment, assignment of digital human task and evaluation of virtual human feeling. Jack software not only has powerful simulation functions, but also includes special human factor analysis technologies such as digital human visual field analysis, generating digital human reach zones, and task analysis. It is professional software integrating simulation and human factor analysis. In addition, connecting Jack with virtual reality (VR) tools to create real action or experience simulation could be the development direction of establishing virtual simulation main control room in the future [4].

3 The Foundation of Ergonomic Analysis 3.1 Digital Human The human body modeling In Jack mainly includes 26 anthropometric data, involving 5 categories of human body structure dimensions. To allow users to establish conforms to a specific set of measurement data of the standard file or a specific individual or specific size, more than 26 different constraint relationships between anthropometric data are provided. A series of functions are embedded in Jack to fit the body size, users just need to enter one of the parameters, the 25 other parameters can be generated by fitting. The basic data were derived from Drillis and Contini (1966) and Army Natick Survey of User Requirements (1988). ANSUR was also used to obtain the corresponding linear regression algorithm from all the input parameters. Therefore, it is impossible to make all the data of digital human body to meet the human body size data in standard: Human dimensions of Chinese adults, but static human

230

Y.-T. Li et al.

body figure can be built to meet different needs according to different task requirements. For example, to study the visibility of sitting posture, user can enter fixed parameters related to the height of sitting posture, and other parameters can be automatically generated by the software. Tack P95 Chinese adult male as an example, the digital human figure generated by Jack using Chinese database shown as Fig. 1.

Fig. 1. 95 Chinese adult male generated by Jack

Comparing the dimensions generated by basic scaling with corresponding data in GB 10000-1988 [5], there are some deviations. So adjustment was made to some key parameters among 26 anthropometric data, the result was shown in Table 2. It can be seen from Fig. 2 that the height calculated automatically by these key parameters is not 177.5 cm, which is caused by Jack’s algorithm rules at lower layer. In the application, as long as the key parameters related to visibility and accessibility which are eye height and shoulder height are correct, the deviation of stature is accepted. 3.2 Environment Building As the establishment of the console model is generally realized in 3D software such as Catia, Solidwork, etc., Jack provides the import function. After saving the models built by other 3D software as the format supported by Jack, the file can imported into Jack. And Jack can create 3D simulation environment according to different user needs. Various 3D entity models drawn by UG, CAD, 3D-MAX, pro-E and other modeling software can be imported, and static and dynamic simulation can be realized by defining tasks of digital people interacted with entities in 3D environment [6].

An Ergonomic Analysis of Main Control Room

231

Table 2. Adjustment results of key anthropometric parameters according to GB 10000 (units: cm) Stature

Auto-generated

Hand length

19.6

Abdominal Dep.

Auto-generated

Head Breadth

16.4

Ankle Hgt.

Auto-generated

Head Height

24.1

Acromion Height

145.6

Head Length

19.5

Arm Length

79.2

Hip Breadth

33.4

Biacromial Br.

40.3

Interpupil Dist.

Auto-generated

Bideltoid Br.

46.9

Shoulder-Elbow

Auto-generated

Buttock-Knee

59.5

Sitting Acromial

64.1

Elbow Rest Hgt.

Auto-generated

Sitting Eye

84.7

Elbow-Fingertip

45.4

Sitting Hgt.

Auto-generated

Foot Breadth

10.3

Sit Knee Hgt.

53.2

Foot Length

26.4

Thigh Clearance

15.2

Hand Breadth

8.9

Thumbtip Reach

Auto-generated

Fig. 2. Adjustment of advanced scaling data

232

Y.-T. Li et al.

a) Environment building for stand-up console Take the BUP stand-up console of a project as an example. First, the model was designed in SolidWorks according to the basic shape and size of the console. It is suggested to save the file as .wrl format, and then import the model into Jack software. Import .wrl files from computer should notice that the rotating angle and scaling factor need to be set appropriately. Because the world coordinate system in Jack is different from the regular coordinate system. After importing, the position of the console and the virtual human figure need to be adjusted to the appropriate position. In addition, considering the height of 25 mm shoes, the digital human should be moved up by 2.5 cm. The final stand-up console environment is shown in Fig. 3:

Fig. 3. Environment building for stand-up console

b) Environment building for sit-down console Take the sit-down console of a project as an example. Both the console model and chair model should be imported into Jack. The posture of human figure should be chosen as seated_erect to be consistent with the NUREG 0700 requirements, and by using the snap (locate) command behind the drop-down menu, selecting the Face Pos. (Face) option and pointing to the surface of the chair, the human figure can be quickly located the to the chair, as shown in Fig. 4.

An Ergonomic Analysis of Main Control Room

233

Fig. 4. Environment building for sit-down console

4 Ergonomic Analysis Ergonomic analysis is the most valuable and difficult part in Jack. The final purpose of previous work is to conduct Ergonomic analysis on the simulation environment, obtain valuable results, and then improve the design of the console dimension according to the results. The accessibility and visibility analysis methods of stand-up and sitdown console are consistent. Therefore, in the analysis of accessibility and visibility, the stand-up console is taken as an example. Collision examination is mainly to verify the knee clearance of the sit-down console, so the sitting table is taken as an example for illustration. 4.1 Accessibility The accessibility analysis tool can depict the maximum accessible range for a human figure of a particular size and obtain a comfortable accessible area with the most industryrecognized comfort assessment resources. The accessibility analysis in Jack includes the following four types: Joint Angle Driven, from shoulder; Joint Angle Driven, From Waist, Axial Rotation; Comfort Solids; Constraint Driven [7]. First, select the traced human figure and choose the Joint Angle Driven, From shoulder type, and then separately choose the left index finger and the right index finger as Traced Site, and the reach zone can be generated shown as the figure below. This reach zone is generated in a manner consistent with the definition of functional extension in NUREG 0700 [8]. The reach zone generated by Jack can be directly used as a range reference in Jack software or exported to the local CAD system in IGES or VRML format. The limitations of the co-drive data used by the Advanced Reach Zone tool are derived from NASA research reports. Select the reach zone of the 95th percentile male and the 5th percentile female as the two most extreme ranges, and the intersection range of the two zones is the area that the controllers can be arranged, as shown in Fig. 5.

234

Y.-T. Li et al.

Fig. 5. Reach zone of P95 Chinese male and P5 Chinese female

4.2 Visibility The Vision Analysis tools in Jack can be used to study the areas and objects included in the human figure’s perspective in various situations, so as to judge the rationality of the design. There are a number of different types of Vision Analysis: Obscuration Zones - These are used in the assessment of what is blocked (or free from blockage) by a selected object. Common uses will be determination of what instruments are blocked and determination of the region outside a vehicle that is blocked from view. Reflection Zones - These are used in the assessment of the region that a mirror allows visibility of. Rays are shot out from the human figure’s eye point (or another point) to the edges of a selected mirrored surface and the resulting reflected rays are generated. These rays are used to generate a surface around the area viewable with the mirror. Coverage Zones - These are 2D plots of viewable and non-viewable points. Coverage Zones are particularly useful in complex scenes where it is hard to tell what segments might present the greatest visibility problems. The above three tools can be used together with the Vision Geometry Generator, however, the most useful tool for the visibility analysis in MCR is the Visual field tool. This tool provides quick and easy ways to determine if a visual target is inside (or outside) a person’s view. Some types of view cones are predefined. The predefined zones include peripheral vision limit, blind spots, and color discrimination limit zones. Peripheral view cones show the limits of all vision. No point can be seen outside the angles of this view cone. The Outside Angles are limits imposed by the anatomy of the eye. The Inside Angles are limits imposed by the nose. The Up Angles are limits imposed by the brow. And the Down Angles are limits imposed by the cheek bones. The generated peripheral view cone is shown in Fig. 6 on the left. The blind spots generally the opposite eye because of the optic nerve connects to the eye, it is safest to keep important vision targets outside of these regions [9]. The blind spot is shown in Fig. 6 center. The color discrimination limit view cones (Green, Red, Yellow, and Blue) show the areas where the corresponding color light can be different from other colors. When

An Ergonomic Analysis of Main Control Room

235

color discrimination is important, such as with warning signals, it is best to keep the vision target inside its associated color limit discrimination view cone [10]. The color discrimination limit zone is shown in Fig. 6 right.

Fig. 6. The generation of peripheral vision limit, blind spot, and color discrimination limit zone

According to the requirements about the location of Monitored Displays of the standup console in NUREG 0700: Displays that require frequent or continuous monitoring, or that may display important (e.g., alarm) information, should be located not more than 35° to the left or right of the user’s straight-ahead LOS, and not more than 35° above and 25° below the user’s horizontal LOS, measured from the normal workstation; Displays that do not require frequent or continuous monitoring, should be located not more than 95° to the left or right of the user’s straight-ahead LOS, as measured from normal workstations. According to the requirements, the customized view cone can be generated, as the dark grey area in Fig. 7 shows. Comparing the frequently monitored customized area with the green color discrimination limit view cones, small difference can be told from the left picture. Comparing the infrequently monitored customized area with the peripheral vision limit, small difference can be told from the right picture. So generally, we can conclude that the view cone generated according to NUREG 0700 is smaller. That is to say, to make it easier for designers or NRC staffs to judge whether a console dimension design satisfy the HFE requirements in 2D graph, a conservative requirement was given in NUREG 0700. However, it is more accurate to use Vision Analysis tools in 3D the to analyze Visibility. 4.3 Collision Dictation Jack has equipped with auxiliary collision dictation tools. Through the collision dictation (the collision place will be highlighted in red), as shown in Fig. 8, it can be concluded that the knee space and foot space under the console meet the requirements. A certain collision threshold can be set for collision dictation.

236

Y.-T. Li et al.

Fig. 7. Comparing Fig. 6 with the view cone generated according to NUREG 0700

Fig. 8. Pass/not pass the collision dictation

5 Practical Application In the practical application of a project, 3D human factor design verification is added to the iterative process of human factor design, as shown in Fig. 9. By comparing the analysis results of 2d analysis and 3D analysis, it can be seen that 3D analysis results are more comprehensive and accurate, which can not only show the side view of reach zone, but also analyze the lateral view of reach zone. In addition as a result of the 3D human figure took into account the thickness of the human body and the thickness of clothes, the distance between the body and console will become relatively far away, so while in 2D analysis the console dimension meets the 5th percentile female accessibility, in 3D analysis, the benchboard cannot be completely covered in the reach

An Ergonomic Analysis of Main Control Room

237

Fig. 9. The iterative process of human factor design

zone, this Human factor deviation need to be reported as a feedback to designers to carry on the corresponding design optimization, as shown in Fig. 10. Finally, based on the results of 3D human factor analysis and verification, the console design in this project received good feedback in the Mockup verification process and met the human factor requirements in all aspects.

Fig. 10. The comparison of 2D analysis results and 3D analysis results

238

Y.-T. Li et al.

6 Conclusion During the master control room console design or design optimization process, we can make full use of simulation software for analysis in order to find problems in time and to modify and optimize at the early stage of design, which can reduce the cost of design and manufacturing, improve the efficiency and reliability of HFE analysis. The final design of the consoles is verified by a Mockup in every aspect to meet the demand of operator. The difficulties in the ergonomic analysis for the main control room console in nuclear power plant based on Jack lie in the accurate creation of digital human models, the accurate selection of ergonomic analysis tools and the discussion of human factors analysis results. The three basic human factor analyses introduced in this paper, including accessibility, visibility and collision inspection, are static analyses. The dynamic simulation of Jack and correlation analysis of human fatigue will be the focus of future studies.

References 1. Jianwei, N., Le, Z.: Foundation and Practical Application of Human Factor Engineering Based on Jack. Electronics Industry Press, Beijing (2012) 2. Zuhua, J., Chaoan, L., Dongbo, W., Chunjian, Y.: Human Factor Engineering. Science Press, Beijing (2018) 3. Yu, W., Pu, H.: Research on human factor engineering optimization based on Jack. Sci. Technol. Innov. Guide 2, 10–11 (2009) 4. Liwei, Z., Chuan, L.: Research on collision dictation in VR environment based on Jack. Comput. Eng. Appl. 32, 78–80 (2003) 5. GB 10000 human dimensions of Chinese adults (1988) 6. Lan, S.: An ergonomic analysis based on Jack virtual simulation technology. Ind. Eng. 20(6), 96–100 (2017) 7. Ma, Z., Xue, H.: Human modeling and ergonomic analysis based on Jack. Aeronaut. Comput. Technol. 38(1), 97–100 (2008) 8. NUREG 0700 Human Factors Engineering Program Review Mode. NSNRC (2007) 9. Alvin, R.: The Measure of Man and Woman: Human Factors in Design. Tilley of Henry Dreyfuss Associates (1993) 10. Boff, K.R., Lincoln, J.E.: AAMRL: Human Perception and Performance. Wright-Patterson AFB, OH (1988)

Verification Method and Basic Guarantee of RPS Availability in Nuclear Power Plant Xian-Jian He(B) , Ming-Ming Liu, Qing Zhang, Xiao-Jun Luo, and Jing Wen Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China

Abstract. The third generation nuclear power reactor protection system (RPS) based on computer technology, that is, safety DCS system, is designed with largescale integrated circuits and real-time embedded software, which has the characteristics of complex structure, large system scale and high verification difficulty. In order to ensure the safe operation and economic benefits of nuclear power plants, RPS needs not only reliability and stability, but also high availability. In order to explore the feasibility of verification of DCS availability index, based on Hualong One safety DCS engineering prototype, a set of availability testing methods and basic guarantee conditions suitable for DCS suppliers are summarized for discussion and exchange. Keywords: RPS · Availability · Verification method · Guarantee conditions

1 Introduction Reactor Protection System (RPS) is a particularly important system in nuclear power plants. With the acceleration of the process of autonomy and localization, its reliability and availability are often mentioned and become the focus of attention in the industry, because they directly affect the safe operation of nuclear power plants [1]. The failure of RPS is generally divided into two categories: dangerous failure and safety failure. In IEC 61508, dangerous failures are defined as those failures that have the potential to put safety-related systems in a dangerous state or lose the ability to perform safety functions. Safety failure is defined as the failure that puts the system in a certain safety state before dangerous conditions appear. Safety failure will increase the probability of the system entering a safe state, reduce the availability of the system, and cause unnecessary influence on normal production.

2 Concept of Availability and Necessity of Verification 2.1 The Concept of Availability Availability was put forward in the mid-1980s, and this concept has gradually evolved into an evaluation index of product reliability. Its definition in ISO9241/11 standard © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 239–246, 2021. https://doi.org/10.1007/978-981-16-3456-7_24

240

X.-J. He et al.

document is: the degree to which a product effectively achieves a specific goal under a specific situation. The definition in GB/T3187-97 standard document is: under certain external premise, the product is in the ability to perform the specified functional state under the specified conditions, at the specified time or within the specified time. System availability, also often called system availability rate, can be simply defined as the time probability of normal operation of the system within the specified assessment period, combined with the understanding of availability in nuclear power industry. Availability is a comprehensive characteristic of equipment or system reliability, maintainability and maintenance support. It can be understood that, first of all, the better the reliability of the product, the smaller the probability of equipment failure within the specified time, and the higher the availability naturally. Secondly, maintainability, that is, all kinds of repairable measures should be considered in the design of products. When a product fails, it has certain maintenance conditions and can complete maintenance tasks within the specified time. Then there is maintenance supportability, which is an indicator of relationship management mechanism. When a fault occurs, the ability to locate quickly, the availability of spare parts, the availability of qualified personnel on standby, and so on, all determine whether the fault can be handled quickly. The more sound the mechanism, the shorter the processing time and the higher the availability. 2.2 The Necessity of Availability Verification It can be seen from the previous chapter that the availability of safety-level DCS equipment in nuclear power plants is a comprehensive index, which not only relates to the products themselves, but also relates to the supporting technical means and management means, and is a comprehensive capability test of nuclear power control system. Generally, the security and availability of the system are mutually restricted. Many safety level systems improve the safety of the system by increasing the redundancy of the system, which means that increasing the equipment and the probability of system failure will increase the shutdown times of the equipment, prolong the maintenance time and reduce the availability of the system. However, in the actual production process, especially in petroleum, chemical industry, electric power and other industries, the losses caused by wrong shutdown are often huge. Taking a nuclear power plant as an example, the failure of RPS equipment leads to a false shutdown once, which will trigger a series of activities, such as control stability, regulatory filing, fault location, analysis and rectification, summary report, re-critical permission, etc. It takes several days to several weeks to carry out these activities, and the economic losses brought by these activities range from tens of millions to hundreds of millions. Therefore, it is necessary for equipment manufacturers to carry out availability verification in terms of product quality and economic benefits of power plants.

3 Verification Method for the Availability of Digital Instrument and Control System in Nuclear Power Plant 3.1 Traditional Availability Verification Methods Taking Lingao Phase II unit in China as an example, the availability verification of reactor protection system mainly includes two aspects:

Verification Method and Basic Guarantee of RPS

241

First, for DCS manufacturers, it is mainly proved by means of analysis, and its calculation formula is as follows. A=

MTTF MTTF + MTTR

(1)

A: Availability of system equipment. MTBF: Mean time between failures. MTTR: Mean time to repair. The MTTF of the system can be obtained mainly in the following ways: (1) Data provided by the manufacturer; (2) Reliability test data; (3) According to the standard, the reliability of system hardware is predicted. Second, on the part of the owner, after the products are delivered to the site, the availability test will be conducted for 90 days. The availability (availability rate) during the test period is generally not less than 99.99%. If it fails to meet the requirements, it can be extended according to the 90-day period, but the total time cannot exceed 250 days. If the test fails three times in a row, it will be deemed that the test failed. To sum up, it can be seen that the traditional verification method lacks equipment manufacturers to carry out availability test verification in the factory, which may delay the discovery of defects and affect the project progress. 3.2 Recommended In-Plant Availability Test Verification Method 3.2.1 Verification Principle of Availability Test The test method is to build a simulation environment to simulate the field operation, so as to ensure that the DCS protection system enters the normal working state. Use technical means to monitor and obtain fault information and time during DCS operation, and record fault events during the whole test process. According to the agreed calculation rules and weight coefficients, the availability calculation results are obtained. According to the recorded process events, select valid data to participate in availability calculation, and the calculation formula is as follows [2, 3]: A=

tt − t f × 100% tt

tf =

n  i=1

A: calculated value of system availability. tt : cumulative test time. tf : accumulated failure time. tfi : failure time of a single hardware device. Kfi : failure weight coefficient. n: Number of failures of hardware devices.

Kfi tfi

(2)

(3)

242

X.-J. He et al.

N: the total number of each hardware device. Note: (1) In statistics, two redundant hardware components should be regarded as one component. (2) The reference value of failure weight coefficient of safety equipment system is shown in Table 1.

Table 1. Recommended value of failure weight coefficient of DCS module SN

Component name

weight coefficient

1

Main control module

5 n/N

2

Communication module

3 n/N

3

Expansion module

3 n/N

4

I/O module

1 n/N

5

The signal conditioning module

1 n/N

6

Preferred module

5 n/N

7

Chassis backplane

1 n/N

8

Power supply module

1.2 n/N

Safety display station

2 n/N

Other modules

3 n/N

9 10

3.2.2 Determination of Availability Test Period (Test Duration) In the past, the availability inspection methods were basically through analysis or availability testing by the owner, and the test cycle was long. The test method proposed in this paper uses reliability theory analysis to decompose the availability index of the system into single channel, and adopts availability test for single channel, thus shortening the test period and ensuring higher feasibility. Test object: any channel and series of reactor protection system. Single-channel parameter decomposition: to test the availability of a single channel, it is necessary to decompose it according to the organizational structure of the system. Taking Hualong engineering prototype independently developed by NPIC as an example, the emergency shutdown system of safety-level instrument and control equipment of nuclear power plant in this project is 2oo4 architecture, so the conservative model of availability of reactor protection system is shown in Fig. 1. According to the model of reactor protection system in Fig. 1, it can be deduced that for the 2oo4 logic of RPS system, the unavailability of a single protection channel caused by its refusal or misoperation will not lead to the unavailability of the whole

Verification Method and Basic Guarantee of RPS

243

Fig. 1. Availability model of reactor protection system (conservative model)

RPC system. Therefore, the reliability parameter of availability probability for a single channel of RPS system is (the condition that two channels are intact is removed in a conservative way): C43 A3sin gle (1 − Asin gle ) + C44 A4sin gle > 0.9999

(4)

Asin gle > 0.996

(5)

MTTF (6) MTTF + MTTR When MTTR = 4 h, then MTBF = 996 h. That is, if MTTR is equal to 4 h, the test time of the system should be greater than 996 h (if the MTTR value of faulty parts is reduced, the corresponding test time of the system will also decrease). Table 1 shows the corresponding relationship between the test time and the maximum fault maintenance time allowed during the test time when the single channel availability rate is 0.996 (equivalent RPS system availability rate is 0.999) (Table 2). A=

Table 2. Correspondence between MTTR and test time MTTR (hours) Test time (hours) 1

249

2

498

3

747

4

996

3.2.3 Selection of Window Period of Availability Test in Project Implementation Stage After consulting a number of relevant documents and combining with the current situation of manufacturers in the process of project implementation [4–8], the recommended window period for DCS equipment availability test includes:

244

X.-J. He et al.

(1) In the process of iteration. (2) After the new version is released and tested by the system, (3) Before supply and delivery. If availability testing is arranged in the iterative process, the frequency of availability testing will be quite high, which will bring great pressure on the project schedule and economy to the manufacturer, so it is not recommended to choose it. It will be held after the new version is released and tested by the system. Relatively speaking, the pressure on DCS suppliers will be less, but it may also face multiple tests, and it is generally not recommended to conduct it in this process. It is a relatively reasonable and acceptable time point when the equipment abnormality is basically repaired and the system stability tends to the target value. 3.2.4 Availability Test Process The availability test and assessment process is shown in Fig. 2 below.

Fig. 2. System availability test flow

3.2.5 Acceptance Criteria for Availability Testing According to the requirements of the equipment technical specification, the availability of safety DCS system in nuclear power plant shall be no less than 99.99% (single channel availability > 0.996). Remarks: If the test fails within the specified assessment period, the test can be extended according to the periodic test. If the test fails for three consecutive periods, the test will be deemed as failing.

4 Basic Guarantee of Test 4.1 Test Preparation and Prerequisites (1) Confirm that the test environment should be available, such as site and power distribution;

Verification Method and Basic Guarantee of RPS

245

(2) Confirm that all test documents are available; (3) Confirm that the simulation device for testing is normally available; (4) Confirm that all fault monitoring means are available; (5) Confirm that there are operators with fault identification and treatment; (6) Make sure there are sufficient spare parts. 4.2 Test Guarantee Condition There are three core guarantee conditions in this test: The first is the construction of test environment. A special test device is used to simulate on-site sensors and actuators, and other third-party systems are connected to DCS, so as to ensure that DCS equipment is in an application environment consistent with expectations, thus simulating the normal power operation of the site. Before the test, all DCS systems are required to complete all integration according to the design documents, and correctly connect with the test device, so as to build a test environment for normal operation of DCS. Secondly, the monitoring of fault events in the test process, that is, the acquisition of test process data, is an important link in availability testing, which directly affects the validity of test data. In the operation process of the safety level instrument control system, when a fault occurs, appropriate tools should be provided to identify the fault and generate an alarm, which should be timely and effectively communicated to the tester or staff for fault repair; In addition, there should be a stable special server for fault event recording, which can save fault logs for testers to process test data. Third, it is necessary to have a clear test management mechanism, such as deterministic fault location methods, experienced fault location personnel, appropriate fault location equipment, sufficient spare parts, sound duty system, etc., to ensure that when a fault occurs, the fault can be quickly located and repaired within 4 h. 4.3 Test Control and Management (1) In case of alarm, it is necessary to contact relevant personnel immediately to find out the cause and restore the system, record the occurrence and repair time of the fault, and continue the test after solving the problem. (2) Failure impact analysis: for each failure time involved in calculation, it is necessary to evaluate and analyze the failure impact. When the failure time does not affect the normal operation of equipment, it can be ignored. (3) During the assessment period, if the equipment is powered off due to unpredictable reasons, restart is allowed to continue the test, and the time is accumulated. (4) When the system fails, record the failure start time and the number of failed devices in the corresponding table of test cases. After being checked and repaired by relevant personnel, record the time when the system resumes normal operation.

5 Conclusion With the increasing awareness of research and development personnel, the design of nuclear power instrument and control equipment has been deepened, and the safety

246

X.-J. He et al.

design concepts such as passive design, defense-in-depth design, diversity design and redundancy have been well applied. However, with the increase of equipment safety, the scale of equipment becomes larger, the structure becomes more complex, and the probability of failure also rises. Therefore, we need to find faults and risks in time, avoid and improve in advance, and improve the reliability and stability of products. Only in this way can the nuclear power plant have enough reliability to achieve the overall safety and availability goals, improve the defense-in-depth capability of nuclear power and reduce the tasks of the safety system. The availability testing method based on system decomposition and simulation system to build a test environment has been applied for the first time in the safety DCS system of China Engineering Experimental Reactor. According to this, it is exposed that the method still has deficiencies in basic guarantee and management measures. Through in-depth analysis of the exposed problems, and pertinent technical measures and management guarantee schemes are put forward. The improved test method was applied for the second time on the Hualong One safety level DCS system engineering prototype. The results show that the availability test method has operability and feasibility in terms of technology and management.

References 1. HAF102 safety regulations for design of nuclear power plants 2. Zhu, W., Guo-Min, L.: Reliability assessment and evaluation of full digital DCS in Ling ‘ao Phase II. China High-tech Enterprises 9, 153–155 (2012) 3. Guang-Qiang, Z., Mo-Wei, S., Rong, T.: Eye tracking technology in availability testing. Ergonomics 7(4) (2001) 4. Li-Xia, Z., Liang Hua-Kun, F., Yi, S.H.: A feasible availability testing process. Comput. Educ. 14, 136–140 (2010) 5. Rps system requirement specification (acp1000s-440500-gg1) [R] d version 6. Li-Yin, W., Ma Quan, X., Biao, Z.Q.: Research on Markov-based calculation of nuclear power plant safety-level DCS availability. Instrum. Users 24(12), 61–65 (2017) 7. Yun-Fei, D.: Research on reliability evaluation and software development of DCS system. North China Electric Power University (2015) 8. He-Chun, W., Yu-Jie, L., Cheng-Fu, L.: Standardized management is an effective way to improve the availability and reliability of the distributed control system of thermal power plants. China Electric Power 05, 67–77 (2003)

Design Method of Human-Computer Interactive Interface of MTS Based on DCS of Nuclear Power Plant Li-Jun Dang(B) , Jun Huang, and Qi Ye Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, Sichuan, China

Abstract. MTS (maintenance and test software), as an important humancomputer interactive tool in DCS of nuclear power plant, plays a crucial role in configuration and management of the engineering applied data, engineering design, system debugging and operational maintenance. With the advent of information age, industrial designers pay more and more attention to interactive design, and user attaches increasing importance to the human-machine interactive experience of products, which puts forward new requirements for the human-machine interactive interface of MTS. This paper takes the human-computer interaction visual design of MTS as the core, through analyzing the human-computer interaction model and requirements of MTS, formulates the overall design scheme of the human-computer interaction system of MTS. According to the overall scheme, a set of human-computer interaction visual design method applied to MTS of DCS in nuclear power plant is proposed. The method and criterion of human-computer interaction design proposed in this paper is very important for the design humancomputer interaction of nuclear power plant application software, and also points out the direction of human-computer interaction optimization of MTS mentioned in this paper. Keywords: Nuclear power plant · DCS · MTS · Human-computer interaction

1 Introduction In recent years, with the rapid development of nuclear power economy, the safety, reliability and economy of nuclear power has become a concern. The digital control system (DCS) of nuclear power plant is the information nerve control center of nuclear power plant. As an important part of nuclear power plant DCS, MTS plays an important role in ensuring the safe, reliable, stable and economic operation of nuclear power plant and improving the production management level [1]. Since the 21st century, with the continuous innovation of industry and science technology, the continuous development of computer communication and network technology, people have more and more demands for automatic monitoring and control and the trend of industrial products networking is more and more obvious [2]. Integrating intelligent human-computer interaction design into industrial design can make © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 247–259, 2021. https://doi.org/10.1007/978-981-16-3456-7_25

248

L.-J. Dang et al.

industrial product design more intelligent [3]. It is in order to meet these needs of users that intelligent human-computer interaction design is integrated into industrial design to make industrial design products more intelligent [4]. MTS is a digital control configuration software that conforms to the nuclear power application scenario. It is used for the configuration and management of the safety level DCS parameters and engineering application data, and meets the functional requirements of engineering design, system debugging, operation and maintenance and other stages. Application software is bound to involve human computer interaction, which is the medium of information interaction, which is the medium of information transmission and exchange between users and products, as well as mutual communication media. Human computer interaction is a technology that studies people, computers and interaction [5]. Interaction design is conducive to improving the scientificity and rationality of information exchange methods between people and objects, reflecting the humanized characteristics, and easing the physiological and psychological pressure in the process of information exchange between people and objects [6]. Human computer interaction design is a product operation interaction design technology aiming at usability and user experience, so as to make the product easy to use and efficient, and make people feel happy at the same time. In the design, by understanding the target users and their needs, studying the psychological and behavioral characteristics of users when using the product, and integrating various effective interaction methods, the product that meets the user’s expectation or even exceeds the user’s expectation is finally designed. An excellent human-computer interaction interface should be designed based on people-oriented and user’s point of view, combined with the specific working specific working environment and mode. The well-designed user interface can make full use of the overall resources of the system equipment to meet the human-computer interaction between users and equipment. Generally speaking, the design principles of humancomputer interaction software interface mainly include user experience design principles and interface consistent design principle and aesthetic integrity principle. MTS is a window used to realize the interaction between users and computers. Based on the application scenario of nuclear power plant, higher requirements and challenges are put forward for the interface interaction design of software. On the basis of meeting the basic functional requirements of the software, how to make the software easy to use has become the focus of this paper. Firstly, this paper analyzes the basic functions and requirements of the software interface interaction design, puts forward a set of humancomputer interaction design method suitable for DCS software of nuclear power plant, and introduces its design ideas in detail according to the overall framework.

2 Requirement Analysis of MTS Human-Computer Interaction As the communication medium between the computer and the user, the human-computer interface of the MTS is an important way for the user to send and upload the data between the computer and the lower computer of the DCS the nuclear power plant. Therefore, the software needs to meet the requirements of the lower computer of the DCS of nuclear power plant and the user of MTS for all aspects of the human-computer interface.

Design Method of Human-Computer Interactive Interface of MTS

249

For MTS, a good human-computer interface is not only related to the real-time and accurate display of the data transmission process of the lower computer and the upper computer to the user, but also affects the user’s first impression of the software. A smooth human-computer interaction process can not only greatly reduce the time cost for the user to obtain important information, but also bring a very pleasant user experience to the user. This will have a positive impact on the evaluation software and even the whole DCS in the user group. Before analyzing the requirements of human-computer interaction system of MTS, it is necessary to define the human-computer interaction model based on engineer station software. 2.1 Human-Computer Interaction Model of MTS BNL first proposed the concept of digital human computer interaction model, defined four general cognitive tasks that need to be completed by individual tasks and team tasks, i.e. situational cognition, monitoring diagnosis, response formulation and response execution, and provided the design requirements of human-computer interface based on digital human-computer interaction model [7]. Based on the above concept of digital human-computer interaction model, the human-computer interaction model base on MTS is defined, as shown in Fig. 1.

Fig. 1. Human-computer interaction model of MTS

In the whole model, human as the main body of monitoring, through the humancomputer interaction window, that is, MTS, to complete monitoring diagnosis, situation recognition, operation instructions and response execution tasks. Monitoring includes checking whether the lower computer equipment is operating correctly, such as monitoring that the board channel variables are within the expected range and maintaining the expected operation status. Diagnosis includes identifying deviations from expected conditions or identifying corrective actions that need to be performed. For example, monitor the system status, once the monitored parameters exceed the boundary or limit conditions, it will send out warning information through the software window of the

250

L.-J. Dang et al.

engineer station. The task of Situational Cognition is mainly realized by the data information display module of software. Information display module mainly includes logic configuration display screen, variable monitoring module table display and curve display screen, algorithm monitoring, equipment monitoring equipment status display screen, etc. The operation instruction refers to a series of interaction actions generated by the user and the MTS in the interaction process. The MTS guides the user to carry out the next action according to each step of the user’s operation, and the user selects the next execution process according to the interface prompt. Response execution means that the software needs to give timely and correct feedback to every step of the user’s operation, whether it is correct or not. Therefore, the software needs to make sufficient consideration in fault tolerance and error prevention design to prevent the user from mis-operation. 2.2 Requirements Analysis of MTS Based on the software human-computer interaction model of the engineer station, the human computer interaction system of the engineer station needs to meet the following three requirements: (1) It is the first condition for the success of human-computer interaction of MTS to display the functions of MTS with good visual effect. When users use the software, the first step is to understand the functions. Good function display can reduce the time for users to be familiar with the software functions, and at the same time, in can achieve more efficient human-computer interaction [8]. (2) Respond to user’s operation correctly and quickly. All the functions of the MTS are communicated through the human-computer interaction interface, so the correct and efficient response of user operation instructions is very important for the user experience of the software. (3) Clear and professional display of data result. It can display the data in various scenes succinctly and clearly, and accurately express the data transmission results between the upper computer and the lower computer. As an important humancomputer interaction window of DCS in nuclear power plant, MTS needs a lot of professional parameters and alarm information. Therefore, the display of professional information is an important experience in the whole process of MTS human-computer interaction. To sum up, the MTS in this paper need to meet the requirements of all aspects of human-computer interaction for users of lower computer and upper computer of DCS at the same time, as show in Fig. 2. The function structure diagram of the MTS is shown in Fig. 3.

Design Method of Human-Computer Interactive Interface of MTS

251

Fig. 2. Requirements analysis of MTS human-computer interaction

Fig. 3. Functional structure diagram of MTS

3 Overall Scheme of Software Human-Computer Interaction System of MTS The design scheme of software human-computer interaction system of MTS is divided into two aspects: interaction design and interface visual design, as shows in Fig. 4 [9].

252

L.-J. Dang et al.

Fig. 4. Scheme of software human-computer interaction system of MTS

The interaction design of MTS is people-oriented, taking the user’s needs as the basic starting point, ensuring that the software is easy to use on the basis of realizing the basic functional requirements. In the actual design process, the following design principles are met, as show in Table 1. Table 1. Interaction design principles Number

Interaction design principles

Detailed description

1

Fault tolerance principle Allow users to undo and redo operations

2

Simplicity principle

Simple and clear, avoiding abstraction and complexity

3

Feedback principle

The system should allow the user to make appropriate decisions at the right time until what happens

4

Consistency principle

The input procedure of command or information shall be consistent in composition and result

5

Easily use principle

Avoid user confusion

6

Simplicity and fluency principle

User’s operation process is reasonable, coordinated and unified

Design Method of Human-Computer Interactive Interface of MTS

253

The interface is the most direct layer for the interaction between software and users. The quality of the interface determines the first impression of the user on the software. A well-designed interface can guide the user to complete the corresponding operation, and plays a guiding role. The human-computer interface of MTS needs to display all kinds of interaction information, including algorithm logic configuration, variable configuration, compilation and download, variable monitoring, algorithm monitoring, and setting information display of various functional modules such as standby monitoring and variable forcing. At the same time, the special nuclear power application scenario determines that the information is significantly different from the information in daily life, including some professional terms and special graphic identification. Therefore, in the process of visual design of the interface of MTS, while meeting the basic requirements of simplicity and clarity, the commonness of special graphic data identification should be mined, so that the design of interactive interface can meet the user’s requirements. In the actual design process, the following design principles are met, as shown in Table 2. Table 2. Interface design Number Interface

Detailed description

1

Control

Standard controls

2

Display

Consistent display of information representation, such as in font, label style, color, terminology, error message, etc.

3

Function

Clear functional performance, clear and orderly classification

4

Interface

Avoid visual confusion caused by too much space nesting

5

Information

Avoid unnecessary information display causing visual interference to users

6

Layout

Clear layout

7

Interface element The size of interface elements shall be consistent as far as possible, at least the height or width shall be consistent; The interface elements need to be aligned in a consistent way to avoid uneven visual effects

3.1 Interaction Design Scheme The design process of the human-computer interfaces of MTS in this paper is mainly divided into six stages, as shown in Fig. 5. Firstly, the display area of the interactive interface is divided, and the display content of each area is designed. Then the menu structure and interaction flow of the software are designed. Among them, the menu modules is divided into the main menu and the sub menu. The main menu displays the main functions of the software, including project management, variable configuration, algorithm configuration, compilation and download, tools, help, etc. The sub menu only contains one kind of functions, for example, the sub menu of project management includes new, modify, delete projects, import and export project templates, etc. After

254

L.-J. Dang et al.

the completion of the menu design, it is necessary to pop-up the design of various fault tolerance, information feedback and error prevention in the interaction process, including the waiting box, progress bar, information prompt box, secondary confirmation box, edit box. Finally, the important data display module need to design the data display interface and operation process. The data display form of the engineer station software in this paper mainly includes variable trend, line chart, model simulation chart, topology chart, table, list, etc.

Fig. 5. Human-computer interaction interface design process of MTS

Design Method of Human-Computer Interactive Interface of MTS

255

3.2 Visual Design Scheme The main colors commonly used in software interface design include blue, red and black. The basic configuration of tone style is shown in Table 3. Table 3. Software tone style configuration table Option

Color

Application occasion

Main tone

Blue

It is widely used in many industries, such as communication, electronics, production management and other industries. Most of the software is designed in blue

Performance area

Red

Government units

Green

Education, health care, agriculture and forestry

Black

Energy, oil

Light: white, light gray, light blue

Text information in light color is easy to read for a long time, not easy to form visual fatigue

As the engineer application software of nuclear power plant, the visual design of MTS should adhere to the principle of serious and rigorous engineering field, and the main color is blue. The background color of the work area is white or gray, which meets the general configuration criteria. The overall design of the page background is very close to white color, generally white, light gray, light blue, etc. For special personalized pages, the color can be changed according to special requirements. In order to reduce the user’s visual fatigue, the background color will avoid using high saturation color. As an important operation and maintenance software of DCS in nuclear power plant, MTS is of great significance for abnormal fault alarm of nuclear power plant. Therefore, the visual design of abnormal faults will adopt high saturation color to improve the warning, so as to ensure that users can find abnormal phenomena timely and effectively and make corresponding feedback.

4 Example of Human-Computer Interface Design of MTS 4.1 Software Development Environment The software package of MTS is developed based on Microsoft Windows7 (compatible with Windows XP). The interface style is similar to Microsoft Office 2010, the recommended resolution is 1280 * 1024, which can be adaptive. The whole interface mainly includes menu bar, navigation tree management window, configuration/display window, information window and status bar.

256

L.-J. Dang et al.

(1) Menu bar: refer to Microsoft Office2010 style; (2) Navigation tree management window: including site management and equipment management, displayed in tree structure; (3) Configuration/display window: equipment configuration, variable configuration, topology, data processing, etc.; (4) Status bar: real time status information. 4.2 Structure and Layout MTS is an important tool for data interaction and display between upper computer and lower computer. In order to make MTS better display function, and also let the user get a good user experience in the process of using the software, the design of humancomputer interface of MTS needs to follow the principles of intuitive, friendly, simple and beautiful, and simple operation. The layout model of human-computer interface of MTS in this paper is shown in Fig. 6 including. (1) (2) (3) (4) (5)

tool menu bar; tree structure navigation bar; work area; output information status display area; right attribute display area.

Fig. 6. Interface layout model

Overall interface layout of MTS is show in Fig. 7.

Design Method of Human-Computer Interactive Interface of MTS

257

Fig. 7. Overall interface layout of MTS

It can be seen from the above analysis that the overall layout logic is consistent with the workflow, neat and fresh, the overall interface design is intuitive and friendly, and the user knows how to operate. This layout conforms to the use habits of engineering personnel, and displays various valuable information for users in the familiar position of users, which truly makes the human-computer interaction interface intuitive and friendly. In the process of software interaction between user and MTS, the user’s operation and operation results for the software will be displayed intuitively through the interactive interface. At the same time, the visual experience brought by the interactive interface to the user largely depends on the interface color matching. The main colors of the MTS are blue and white, and the toolbar is set with style options for the user to configure the background color.

5 Significance and Impact Analysis MTS is a kind of digital control configuration software in line with nuclear power application scenario. It is used to configure and manage the parameters and engineer application data of safety level DCS, and meet the functional requirements of engineer design, system commissioning, operation and maintenance, etc. Based on the special application scenarios, the software has strong professional and functional characteristics, and the user group is also a special nuclear power experts or engineers. Therefore, the human-computer interaction visual design of the software is of great significance. Therefore, it is necessary to develop a set of interactive design scheme that meets the nuclear power application background and software requirements, so that MTS has the basic requirements of easy to use, so as to play a positive role in the safe and effective operation of nuclear power plant. Applying scientific and effective human-computer interaction design method to the software of MTS in DCS of nuclear power plant has the following positive significance:

258

L.-J. Dang et al.

(1) Good interaction experience plays an important role in the safe and effective operation of nuclear power plants, improving reliability; (2) Reducing human error. In the process of human-computer interaction design, the basic interaction design principles, including fault tolerance principle, consistency principle and feedback principle, are put forward based on the interaction mechanism between interaction process and human error; (3) Enhance the user experience. Users’ demand for products is no longer limited to the satisfaction of functions, but more concerned about the perceptual experience brought by products. A good interface interaction design will bring users a smooth and comfortable user experience; (4) Improve the market share of products. Good interaction design can significantly improve the usability and user experience of software products, and then effectively improve the market share of products.

6 Concluding Remarks MTS is an important part of DCS in nuclear power plant. With the development of information technology and the continuous improvement of automation level, the requirement of human-computer interaction system of MTS for operation and maintenance personnel of nuclear power plant is higher and higher. Good interaction experience plays an important role in the safe and effective operation of nuclear power plants. Therefore, this paper proposes a design method of MTS human-computer interaction system based on the DCS in nuclear power plant. Firstly, it states the importance and necessity of human-computer interaction for MTS of DCS in nuclear power plant, and then analyzes the demand of the software human-computer interaction system combined with the software human-computer interaction model of MTS. According to the results of the demand analysis, the human-computer interaction system of the MTS in the DCS of nuclear power plant is designed as a whole, and the design ideas are introduced in detail according to the overall framework. Finally, some examples and explanations of the realized software human-computer interaction interface of the MTS are given. Through analysis, the main interface follows the design principles of intuitionist and friendly, concise and beautiful, and simple operation, which greatly improves the user experience of the software and has a positive impact on the first impression of the user group of the DCS in nuclear power plant.

References 1. Qingjun, M., Yuan, L., Jiqiang, M.: Localization and automation of non-safety level digital I&C system in nuclear power plant. Autom. Panorama 4, 78–82 (2013) 2. Sida, L.: Overview of Interaction Design. Qinghua University Press, Beijing (2009) 3. Zhupeng, L., Zhihang, W.: Application analysis of human computer interaction design in industrial design. Des. Appl. 1, 194 (2019) 4. Xueyuan, P.: The application of interactive design in industrial design. News Res. Guide 10(21), 66 (2019) 5. Yuwei, C., Qinglong, Z.: Application analysis of human-computer interaction design in military radar software. Comput. Knowl. Technol. 14(2), 192–193 (2018)

Design Method of Human-Computer Interactive Interface of MTS

259

6. Yaming, L.: The exploration of human-computer interaction design interface problems. Electron. Prod. 02, 66 (2015) 7. Guang, M., Zhiyao, L., Lipeng, P., Jie, Z.: Research on the design method of human-computer interface of nuclear power plant based on digital human-computer interaction model. Instrum. User 26(9), 67–70 (2019) 8. Xiong, Q.: Design of oscilloscope human computer interaction system based on QT. University of Electronic Science and Technology of China (2014) 9. Xiao, H., Guo, G.: Discussion on the visual design principles of multi-sense human-computer interface. Packag. Eng. 33(8), 35–37 (2012)

Formally Verified a Front-End of the Trusted Code Generator for Safety I&C Software of NPPs Lin Lan1,2 , Quan Ma1(B) , Rong-Bin Hou1 , Wei Jiang1 , Ming-Xing Liu1 , Fei Yang1 , and Yong Li1 1 Science and Technology on Reactor System Design Technology Laboratory,

Nuclear Power Institute of the China, Chengdu, Sichuan, China 2 Harbin Engineering University, Harbin, China

Abstract. In nuclear power plant embedded software control area, graphical control algorithms are described by Lustre program and designed with graphical editors of engineering station. After they are translated into C programs through a code generator, then the C programs are downloaded to the embedded platform software of NASPIC. The correctness of the code generator will directly determine the credibility and safety of NASPIC. Therefore, it’s important to ensure the correctness of the code generator translation process. Formally verified the correctness of a code generator, which has been studied for many years and becomes a most effective approach to develop a trusted code generator. This article is based on the requirements of nuclear safety-level I&C (Instrumentation & Control) system and mainly presents the development of a formally verified code generator front-end. The front-end translates Lustre source program into S_Lustre (a sequential intermediate language). And it is programmed and proved in Coq (Auxiliary Theorem Prover). During the development of the front-end, two key technical challenges have been resolved. The first is to ensure every id which appeared in the Lustre program has been defined. The second is to implement the casualty analysis and determine the evaluation order of user-defined types and equations based on the dependencies. Keywords: Formal verification · code generator · Coq · Lustre

1 Introduction Nuclear power plant safety-level I&C system NASPIC (Nuclear Advanced Safety Platform Instrument and Control) is developed by NIPC (Nuclear Power Institute of China). It is 1E software and plays a key role in keeping a nuclear power plant operating stably and safely. The engineering station NASPES (Nuclear Advanced Safety Platform of Engineer Station software) is a model-based control algorithm development environment and an important part of NASPIC, which is mainly applied in nuclear power plant embedded software control area. It is an integrated development environment which includes graphical control algorithms design, trusted code generation, control algorithm © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 260–272, 2021. https://doi.org/10.1007/978-981-16-3456-7_26

Formally Verified a Front-End of the Trusted Code Generator

261

debugging and simulation functions. The development process of control algorithm is shown in Fig. 1. Based on the control requirements, nuclear I&C engineers first model graphical control algorithms with graphical editors of NASPES in design phase, and then use SCADE Suite KCG (a code generator) to translate the designed graphical control algorithms into C programs. In implementation phase, the generated C programs are downloaded into the embedded platform software of NASPIC, and then they are compiled into the executable codes to run in the ARM48.

Fig. 1. The development process of control algorithm

Compared to an open source code generator, SCADE KCG is more reliable and has been widely used in safety-critical embedded control area, including nuclear power plant, aerospace and railway, etc. Some most traditional methods, including performing large-scale testing and obeying a serious process of verification and validation (V&V) [1, 2], are applied in the development of SCADE KCG to eliminate bugs and ensure the correctness of translation processes. Testing can successively find new bugs to improve the assurance of a code generator, but it cannot solve the miscompilation issues which means a code generator may translate a correct source program into an incorrect target program silently. Miscompilation issues may lead to a serious accident in nuclear power plant control. Therefore, it’s necessary to find a more rigorous method to solve miscompilation issues during the development of a code generator. Formal verification supports the strict specification, design and verification of software and is often used to develop high-assurance and high-safety software in embedded safety-critical area [3]. Its application in the development of a trusted code generator has been studied for many years. The most outstanding work in formal verification area is CompCert compiler which is developed by the Xavier’s team [4]. The CompCert compiler compiles Clight (a subset of C) program into the executable code and is suitable for Power PC, ARM, X86 processors [5, 6]. And it has been proved to be more reliable than other compilers without being formally verified [7]. Once a code generator is formally verified completely, the target code generated by the code generator will behave as the semantics of the source program. Formal verification which is applied to develop a trusted code generator includes two common methods: (1) Theorem proving, it proves the correctness of the code generator itself. (2) Translation validation [8], it avoids to prove the correctness of the code generator itself and only verifies that target programs and source programs take the same

262

L. Lan et al.

inputs and obtain the same results. Though the formal verification is mature to be used to develop a code generator, there isn’t a formally verified code generator applied in nuclear power plant safety level I&C system. Based on the discussion above, the formal verification method is used to develop a high-assurance and high-safety code generator called NASCG (Nuclear Advanced Safety Code Generator) that aims to replace the code generator KCG. NASCG turns concurrent Lustre program into sequential C program and gives a proof of its semantic preservation of transformations in Coq [9, 10]. It not only supports all the syntax features of LustreV6 [11], but also extends some features to meet the nuclear power plant control requirements. This article focuses on the development of the front-end of NASCG and its main function is to preprocess the Lustre program to bridge the semantic gap between Lustre language and C language. The remainder of this article is structured as follows: Sect. 2 briefly introduces the syntax of Lustre and gives a simple Lustre program. Section 3 gives an overview of the architecture of NASCG and presents the development of the front-end. Section 4 gives some common definitions of operational semantics for languages in NASCG and presents a common theorem to prove the correctness of translation pass. Section 5 concludes the paper and introduces the future work of NASCG.

2 The Graphical Algorithms Model Described Language Lustre Since the Lustre language appears, it has been widely applied in safety-critical embedded software to describe the graphical control algorithms with graphical editors, such as SCADE Suite [12] and NASPES. Basing on the syntax of Lustre language, some new syntax features of the Lustre are extended to meet the actual control requirements of nuclear power plants. These features include the higher-order iterator operating over arrays, operators make and flatten operating over struct, user-defined data types. For simplicity, only a subset of Lustre syntax is introduced here. It’s shown in Fig. 2. A Lustre program is composed of a list of user-defined type declarations (type_block), a list of global constant declarations (const_block) and a list of node declarations (node_block). A node is a function used to deal with inputs and return outputs. And it is defined as node id (params1) returns (params2) body, where the id is the node name, params1 is a list of input parameters and params2 is a list of output parameters, and the body is the node body which is composed of equations. An expression (expr) may be consisted of variables (id), constants (const), unary-operation subexpressions, binary-operation subexpressions, uninitialized delay operation subexpressions (pre(expr)), initialized delays subexpressions (expr fby expr and fby (expr; const; expr)), initialization operation subexpressions (expr -> expr), a filtering operation subexpressions (expr when [not] id), conditional operation subexpressions (if id then expr else expr) and higher-order operation operating over arrays (map node|unop|binop, const (id+ )).

Formally Verified a Front-End of the Trusted Code Generator

263

Fig. 2. The syntax of Lustre language

A graphical control algorithm is composed of a number of basic function blocks which are described by Lustre programs. A simple Lustre program is shown in Fig. 3 in which the node counter takes two input streams, the one is type integer and the other one is type boolean. After dealing with the input streams, the node counter returns one integer streams. In the graphical editors of NASPES, the node counter describes a rectangle graphical algorithm block with the node name counter, two input ports and one output port and it’s shown in Fig. 4. The body of node counter contains two equations and a local variable. The first equation computes a conditional expression which is nested with uninitialized delay operation “fby (a;3;0)” and initialized delays operation “pre (a)”. And its result is stored by a local variable x. The second equation defines the value of the output o and computes an expression which is nested with initialized delays operation “(2 fby x)*3”, initialization operation and filter operation “when not b”. The sub-expression pre (a) defines a stream n such that n(0) = Vundef and n(i) = n(I − 1) where i is the evaluation cycle. The sub-expression fby (a;3;0) defines a stream n such that ∀ i ≤ 3, n(i) = 0 and ∀ i > 3, n(i) = a(I − 3). The filter operation “when not b” controls the samples of a stream based on a logic clock.

Fig. 3. A simple Lustre program

264

L. Lan et al.

Fig. 4. The rectangle graphical algorithm block of node counter

3 The Architecture of the NASCG The traditional approach, which is used to translate a Lustre program into the C program, is to inline all nodes in graphical control algorithms. However, the clock-directed modular compilation method [13], it is used to translate each node of a Lustre program into a separate function of C program, which would be more convenient for user to review. It has been used in some outstanding trusted code generator, such as SCADE KCG and Vélus [14, 15]. The clock-directed modular compilation method is also applied in NASCG which accomplishes the transformation from a concurrent Lustre program into a sequential C program. The architecture of NASCG is outlined in Fig. 5. It is structured as 7 intermediate languages and 8 passes, which aims to simplify the proof of semantic equivalence of the transformation from source Lustre program to target C program. The contents of dotted box in Fig. 4 describe the translation passes and intermediate languages, and they are encoded with Coq specification language. Once the correctness of each translation pass has been proved in Coq, then the extraction mechanism of Coq is used to extract the translation algorithms into OCaml program. Finally the OCaml program is compiled to obtain an executable trusted code generator NASCG. The front-end of NASCG is composed of the first three passes which are connected by solid double arrows in the dotted box. Its main function is to preprocess Lustre programs, which bridges the semantic gap between Lustre program and C program. Parsing pass turns a Lustre source file into AST (abstract syntax tree) without annotating with types and clocks. Type check pass aims to check whether every variable appeared in the program is defined. Simplification pass ensures that pre expressions, -> expressions, fby expressions, higher-order iterator expressions and node instantiations are not nested with simple expressions. Scheduling pass performs casualty analysis and determines the evaluation order of constant declarations, user-defined type declarations and equations based on dependencies: each variable in a node must be written before being read. The back-end of NASCG is consisted of the rest four passes which are connected by double dotted arrows in the dotted box. Its main function is to translate the Lustre program into C program step by step. Higher-order iterator elimination pass turns higher-order iterator expressions into a for-like statement of C program and gives a proof of semantic equivalence of the transformation. Temporal operator elimination pass turns fby expressions into conditional statement of C program. The translation pass translates the concurrent program T-Lustre into a sequential intermediate language called TempC. Equations and nodes in the T-Lustre program are translated into corresponding conditional assignment statement of TempC so that repeated execution of the sequential program to obtain the successive outputs of the streams in the concurrent program. The generation pass turns the intermediate language TempC into C programs which satisfy the C language specification of the nuclear power plant embedded software.

Formally Verified a Front-End of the Trusted Code Generator

265

Fig. 5. The architecture and development process of NASCG

The trusted code generator NASCG implements the intermediate languages in the dotted box and the transformations marked by double arrows in the figure. The parsing pass contains a lexer and a parser. The lexer is constructed by OCamllex [16]. The parser is constructed by Menhir which is an automatic tool and can also give a proof of the correctness of transformation [17]. The transformation algorithms of Scheduling, Higher-order iterator elimination, temporal operator elimination, translation and generation pass are developed as recursive functions in Coq.

4 The Core Transformations in Front-End of NASCG In the front-end, there are three tasks need to be done, including (1) ensuring that variables, types and nodes have been defined before being used in the Lustre program, (2) introducing a new local variable to substitute the temporal operation sub-expressions and (3) performing the casualty analysis and determining an evaluation order of equations in a node. These tasks discussed above will be accomplished in the front-end of NASCG. In this section, the algorithms of transformations are developed in Coq to accomplish these tasks. 4.1 Type Check Pass In the parsing pass, the data structure record id (name: str, key: positive) is defined in Coq and introduced to store variables, user-defined types and nodes, where name with type string and key with type positive. And type positive is a predefined type with three constructors xH, xO, xI in Coq and the value of key is computed by the function intern_string of Coq library. In type check pass, the variables, expressions, nodes and constants of AST are annotated with types and clocks. Then three data structures, including a global environment called genv, a local environment called lenv and a type

266

L. Lan et al.

environment called tyenv, are developed to store the values of variables, and they are all balanced binary trees. The genv is used to store the global constant variables and nodes. The lenv is used to store the local variables of a node. The tyenv is used to store all types defined in type_block. Once every id defined in the Lustre program is stored into the environments, the algorithm of type check is used to check whether all variables, types and nodes in the Lustre program are defined. The core algorithm of type check is developed in Coq and is shown in Table 1. Table 1. The core algorithm of type check

ALGORITHM 1:type check 1 Definition typeclock_of_env(genv, lenv: env)(id: ident) : res (typeL * clock) := 2 match lenv ! id with 3 | Some tc => OK tc 4 | None => 5 match genv ! id with 6 | Some tc => OK tc 7 | None => Error (msg "id is not found in env") 8 end 9 end.

The execution of type check algorithm is shown in Fig. 6, which includes the following steps: first the lenv is traversed to search for an id, which aims to check that whether the id is defined in the local environment. If it exists in lenv, then the tuple (type, clock) of the id is returned accordingly. If it does not exist, then the genv is traversed to search for the id in the global environment. If the id exists which means that the id is defined in the global environment and the tuple (type, clock) of the id is returned accordingly. Otherwise reporting the error message “id is not found in env” which means the id is not defined in the program. 4.2 Simplification Pass The simplification pass is an important transformation before scheduling pass. Its main work is to simplify the complex expressions in which fby expressions and node instantiations are nested with simple expressions. The function acg_temp_name (id) is constructed in Coq to generate a new local variable acgLid which is used to store the result of the sub-expressions. The simplification algorithm is used to traverse every equation of each node, which accomplishes the substitutions of temporal-operation expressions and node instantiations with a new local variable. For example, the code in Fig. 1 line5, in which the sub-expression fby (0;3;a) is lifted to an equation level by simplification pass, and it is written into acg_L1 = fby (0;3;a). The sub-expression pre (a) is turned into fby (0;a), and then it is also lifted to an equation level which is written into acg_L2 = fby (0;a). The two new local variables acg_L1and acg_L2 are introduced to substitute the sub-expression fby (e;5;0) and fby (0;a) in expression x = if b then pre(a) else fby (a;3;0). Similarly, the code in Fig. 1 line 6 will be simplified like the code simplified in line 5, and the target code in simplification phase is shown in Fig. 7.

Formally Verified a Front-End of the Trusted Code Generator

267

Fig. 6. The flowchart of the type check algorithm

Fig. 7. The Lustre program is simplified

4.3 Scheduling Pass There exists a big semantic difference between a Lustre program and a C program. A Lustre program executes concurrently, but a C program executes sequentially. The scheduling pass, it’s main work is to eliminate the semantic difference, which turns the concurrent Lustre program N-Lustre into the sequential program S-Lustre. The dependencies of the user-defined types and equations are first defined. And then basing on the definition of dependencies, the casualty of equations, nodes and user-defined types is analyzed to ensure that there doesn’t exist a casualty cyclic in the N-Lustre. If there does not exist a casualty cyclic in the N-Lustre, then the scheduling algorithm is developed to determine the evaluation order of the user-defined types and equations. Noticing that a data structure record {rid:ident; lid:ident; n:nat} called Dep is defined to store a dependency which is computed from an equation and an user-defined types. The dependencies are defined as follows:

268

L. Lan et al.

Definition 1 (User-defined type dependency) If an user-defined type ty1 appears in a definition of the other user-defined type ty2 then ty2 depend on ty1. Definition 2 (Equation dependency) Forall equations Eq. 1 and Eq. 2 which are not nested with fby sub-expressions and pre sub-expressions, if the variables on the left-hand side of Eq. 1 appear on the right-hand side of Eq. 2 then Eq. 2 depend on Eq. 1. It’s important to note that the computation of equations dependencies in a node is relatively complex. Mainly because the function of pre operator and fby operator is to access the data of history cycles. The result of pre expressions and fby expressions in an equation has already been written before read in the current cycle. So even if the variable on the left hand side of a fby expression or pre expression Eq. 1 appear on the right-hand side of the expression Eq. 2, then Eq. 2 is not depend on Eq. 1. Based on the discussion above, the Scheduling algorithm is developed in Coq and shown in Table 2. Table 2. The core algorithm of scheduling

ALGORITHM 2:Scheduling 1 Fixpoint toposort_deps (max: nat)(deps: list Dep): res (list Dep) := 2 match max with 3 | O => OK nil 4 | S max' => 5 let (l1,l2) := get_nodeps (flat_map lidl deps) deps in 6 match l2 with 7 | nil => 8 match l1 with 9 | nil => OK nil 10 | cons hd tl => Error (msg "has a cycle!!") 11 end 12 | cons hd tl => 13 match (toposort_deps max' l1) with 14 | OK l1' => OK (l2 ++ l1') 15 | _ => Error (msg "has a cycle!!") 16 end 17 end 18 end.

The Scheduling algorithm is used to accomplish three works including, (1) implementing casualty analysis of equations, user-defined types to check whether there exists a casualty cyclic. (2) determining the evaluation order of equations, nodes and userdefined types based on Definition 1 to Definition 2. (3) finding the id of the main node in a program. In the scheduling algorithm above, toposort_deps is a recursive function and takes two input parameters which contain dependencies deps and the maximum times of recursively call function toposrt_deps. And the auxiliary function get_nodeps partitions a list of dependencies deps into two lists of dependencies l1 and l2. The dependencies

Formally Verified a Front-End of the Trusted Code Generator

269

in l2 are sorted to be the right evaluation order. The dependencies in l1 are depend on others. If l2 is an empty list, then checking if l1 is also an empty list. If l1 is an empty list, the result is an empty list. If l1 is not an empty list, there must exist a casualty cyclic in deps and report the error message “has a cycle”. If l2 is not an empty list, the function toposort_deps is recursively called to compute the evaluation order of l2.

5 Operational Semantics and Proof of Correctness Different kinds of operational semantics are applied to describe different observable behaviour of program execution. There are two frequently-used kinds of operational semantics, including big-step operational semantics and small-step operational semantics. The big-step operational semantics associates the program with its final result. Its disadvantage is that user cannot observe the intermediate state of the program execution. However, the small-step operational semantics is based on the successive reductions on source program, which allows user to observe the intermediate state of program execution. Critical embedded software is a typical reactive system that needs to constantly interact with the external environment, user needs to observe not just the final result, but also the intermediate state of program execution. Therefore, the small-step operational semantics is used to define common formal semantics for languages in NASCG. Among the three passes of the front-end described in Sect. 4, only the simplification and scheduling passes have changed both syntax and semantics. And the correctness of the two transformations need to be proved in Coq. The semantic environments and memory models is a basis to formally define the operational semantics of languages in NASCG. The memory model of CompCert is detailed in and also reused in NASCG [18]. The definitions of semantic environments are shown in Fig. 8. The ge is used to represent a global environment which maps a global constant id, an user-defined type id to block references and maps from function/node references to function/node definition. The le is used to represent a local environment that describes the memory state of all local variables in a node instantiation and map from local variables to block references. The te is used to represent a temporal environment. Lustre language contains temporal operators such as pre, fby and -> which are used to access the data of the history cycles, so the temporal environment te is constructed to store the data of the history cycles of each node instantiation. The temporal environment te is composed of a list of local environment le. Each node has a local environment le for each cycle, and the temporal environment of a node is a list of local environment for each cycle of node.

Fig. 8. Semantic environments and memory models

Based on the semantic environments and memory model, semantic rules are defined to compute semantic value of expressions. And they are suitable for all languages in

270

L. Lan et al.

NASCG. Rule (1) describes the evaluation of a constant variable. Rule (2) describes the evaluation of the cast expression. The expression a is computed by an recursive function eval_sexp and the result value is v. Then the type of value is turned to the expected type ty through function sem_cast. Rules (3) and (4) evaluate arithmetic expressions. ge, le  eval_const c = v, has_type(v, ty) ge, le  eval_sexp(Sconst c ty) ⇒ v

(1)

ge, le  eval_sexp(a) = v1, sem_cast(v1, type(a), ty) = v ge, le  eval_sexp(Scast a ty) ⇒ v

(2)

ge, le  eval_sexp(a) = v1, sem_unary_operation(op1, v1, type(a)) = v, has_type(v, ty) ge, le  eval_sexp(Sunop op a ty) ⇒ v

(3) ge, le  eval_sexp(a1) = v1, eval_sexp(a2) = v2 sem_binary_operation(op1, v1, v2, typeof(a1), ty) = v, has_type(v, ty) ge, le  eval_sexp(Sbinop op a1 a2 ty) ⇒ v

(4)

The front-end is hierarchically divided into several passes throughout the translation from Lustre source program into S_Lustre. The proof of semantic preservation in each translation pass is the same. Taking the scheduling pass as an example, the semantic preservation of translation is shown in Fig. 9 and described as: if N_Lustre and S_Lustre programs successively take the same streams of input parameters, then basing on the semantic rules, they successively produce the same streams of outputs and local variables.

Fig. 9. The semantic preservation

The semantic preservation theorem is developed in Coq, and it’s presented to mechanically prove the correctness of transformations in the front-end. It’s shown in Table 3. In the semantic environments ge and e, the node fd1 in prog1 is evaluated by the semantic function eval_node with inputs vargs, and the result value vrets are returned (the first hypothesis in the theorem in line 2). The equations in node fd1are addressed by the front-end without reporting error, and then the prog1 is turned into prog2 (the second hypothesis in the theorem in line 3). And if the semantic evaluation of node fd2 have the same environments ge and e, and the same inputs vargs, terminates and yields the

Formally Verified a Front-End of the Trusted Code Generator

271

same final results values vrets, then the execution of prog2 yields the same results that would be enough to prove the correctness of the transformation from prog to prog’. After proving the correctness of the transformations in the front-end, the trusted transformation algorithms are extracted into OCaml code. And then the OCaml code is compiled to obtain a formally verified front-end of the trusted code generator for safety I&C software of NPPs. Table 3. The semantic preservation theorem

Theorem: trans_node_correct 1:forall e e' fd1 vargs vrets, 2: eval_node true prog1 ge e e' fd1 vargs vrets -> 3:forall fd2, trans_node_block fd1 = OK fd2 -> 4: find_funct (node_block prog1) (fst fd1) = Some fd1 -> 5:eval_node true prog2 ge e e' fd2 vargs vrets.

6 Conclusions and Future Work The trusted code generator NASCG is one of the most important component of the control algorithm developing environment NASPES. Its main function is to accomplish the correct transformations from graphical control algorithm to C program. The safety and reliability directly determine the safe and correct action of the nuclear reactor. The formal method is the most rigorous method in developing high-safety and highassurance software and has been used in many safety-critical areas. Therefore, based on the studies of the requirements of high-safety and other similar trusted code generator such as CompCert, formal method is used to develop the trusted code generator NASCG which will be used to substitute the present code generator KCG. In this article, the architecture of the trusted code generator and the concurrent Lustre language are briefly introduced. The development of the front-end including the first three passes are detailed here. Its main function is to preprocess the Lustre program and bridge the semantic gap between the Lustre program and C program. Developing a trusted code generator is a long term goal, there are many key technical problems need to be solved. As future work, first a validate software will be developed by validation translation method to ensure the correctness of the parsing pass. Second, continue to conducting the formal verification of the rest key stages including higher-order iterator elimination, temporal operator elimination, translation and generation passes.

References 1. Scade-suite home [WB/OL]. http://www.esterel-technologies.com/products/scade-suite 2. Wallace, D.T., Fujii, R.U.: Verification and validation: techniques to assure reliability. IEEE Softw. 6(3), 8–9 (1989)

272

L. Lan et al.

3. Jourdan, J.H., Laporte, V., Blazy, S., et al.: A formally-verified C static analyzer. ACM Sigplan Not. 50(1), 247–259 (2015) 4. Leroy, X.: A formally verified compiler back-end. J. Autom. Reason. 43(4) (2009). Article number: 363. https://doi.org/10.1007/s10817-009-9155-4 5. Blazy, S., Leroy, X.: Mechanized semantics for the Clight subset of the C language. J. Autom. Reason. 43(3), 263–288 (2009). https://doi.org/10.1007/s10817-009-9148-3 6. Bourke, T., Brun, L., Dagand, P.-É., et al.: A formally verified compiler for Lustre. ACM Sigplan Not. 52(6), 586–601 (2017) 7. Yang, X.J., Chen, Y., Eide, E., et al.: Finding and understanding bugs in C compilers. In: Proceedings of the 2011 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2011), pp. 283–294 (2011) 8. Pnueli, A., Siegel, M., Singerman, E.: Translation validation. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 151–166. Springer, Heidelberg (1998). https://doi.org/10.1007/ BFb0054170 9. The Coq Development Team: The Coq Proof Assistant Reference Manual Version V8.3 [EB/OL]. http://coq.inria.fr/ 10. Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development-Coq’ Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-662-07964-5 11. Caspi, P., Pilaud, D., Halbwachs, N.,et al.: LUSTRE: a declarative language for programming synchronous systems. In: Symposium on Principles of Programming Languages, vol. 259, no. 89, p. 911. ACM (1987) 12. Colaco, J.L., Pagano, B., Pouzet, M.: SCADE 6: a formal language for embedded critical software development. In: International Symposium on Theoretical Aspects of Software Engineering. IEEE Computer Society (2017) 13. Biernacki, D., Colaço, J.-L., Hamon, G., Pouzet, M.: Clock directed modular code generation for synchronous data-flow languages. In: Proceedings of the 9th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2008), Tucson, AZ, USA, June 2008, pp. 121–130. ACM Press (2008) 14. Gérard, L., Guatto, A., Pasteur, C., Pouzet, M.: A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. In: Proceedings of the 13th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2012), Beijing, China, June 2012, pp. 51–60. ACM Press (2012) 15. Bourke, T., Brun, L., Pouzet, M.: Towards a verified Lustre compiler with modular reset. In: International Workshop (2018) 16. Leroy, X., Doligez, D., Frisch, A., Garrigue, J., Rémy, D., Vouillon, J.: The OCaml system: documentation and user’s manual, 4.03 edition. INRIA, April 2016 17. Pottier, F., Régis-Gianas, Y.: Menhir Reference Manual. INRIA, August 2016 18. Leroy, X., Blazy, S.: Formal verification of a C-like memory model and its uses for verifying program transformations. J. Autom. Reason. 41(1), 1–31 (2008). https://doi.org/10.1007/s10 817-008-9099-0

Design of Emulation System for Safety DCS Hao Peng(B) , Xu Zhang, Zhi-Guang Deng, Qi Chen, Yu Zhang, and Wei Jiang Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China

Abstract. DCS (Digital Control System) is a very important part in safety protection in NPP (Nuclear Power Plant). Virtual DCS realizes the algorithm configuration of physical DCS running on general computers and gets rid of the limitation of hardware. In this paper, an emulation system (virtual DCS) is designed using virtual DPU technology. The virtual DCS can be used to verify the algorithm logic with the closed-loop system, which is composed by virtual DCS and digital reactor processing model together. The virtual DCS and controlled object are closed to test the control effects and in this way to verify the design of the NPP DCS. For the purpose of scientific research, training and design verification, virtual DCS should have malfunction simulation and other functions. These functions reflect the superiority of emulation technology. Keywords: Digital control system · Virtual DPU · Design and verification

1 Background The design of NPP physical DCS shall include effective verification. Verification platform for the design of DCS is of great value on decreasing the error rate of design process and increasing its effect. The design verification platform based on virtual DCS can verify the algorithm logic before the manufacture of physical DCS. The FSS (Full Scope Simulator) formed by the control closed-loop, which is constructed by virtual DCS and digital reactor models, can effectively verify the effectiveness and safety of the control algorithm [1–3].

2 Virtualization Simulation is a system analysis procedure based on the physical model. Generally, DCS level (Level 1) simulation technologies include simulation, emulation and stimulation. Simulation denotes that to rebuild the control logic of the simulated objects with the same function in different software and hardware platform. Emulation means to remove the software of the referenced system or sub-system to the environment in which the simulator is running, keeping the performance and physical behaviors exactly the same with the referenced system. Stimulation is a sort of methods by accessing the DCS into FSS [4]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 273–281, 2021. https://doi.org/10.1007/978-981-16-3456-7_27

274

H. Peng et al.

DPU (Distributed process unit) virtualization is the core of virtual DCS technical method. Virtual DPU (VDPU) can realize the DPU function in one software, in order to separate them from the hardware. Virtual DCS provides the operations environment, data and command interfaces and user interfaces etc. to virtual DPU. Simulation system can fit the physical one in maximum degree by DPU virtualization. With the same download file, same MTS (maintenance station), same malfunction simulation, this is very valuable for the trainings of the operators in NPP and the configuration engineers in DCS suppliers.

3 Virtual DCS Design 3.1 System Structure Design Virtual DCS mainly includes four parts, DMS (Data Management System), VCS (Virtual Control Station), VDPU and MTS. DMS runs the functions like external commands, data interface, malfunction simulation and variable overriding etc. VCS simulates the physical process control station, offers the operation environment for VDPU and realizes the communication between stations. VDPU simulates the main control units of physical DCS, executes the functions like algorithm calculation. MTS makes connections with each VCS and watches the operation status of it (Fig. 1).

Fig. 1. System structure of virtual DCS

Commands are divided into two types, non-forward request and forward request. Non-forward requests include capturing variable’s value, capturing simulation status and capturing simulation time such kind of commands which only needs DMS to executing. Those requests are given out by the third-party system and are received and executed by DMS which gives response after finishing the operation (Fig. 2). Forward requests include freezing project and saving working conditions etc. DMS will forward them to all the online VCSs when receives the third-party system requests and wait for the executing results from those VCSs. Each VCS responds the executing results to DMS. DMS responds the feedbacks to the third-party system after all the feedbacks from every VCS are confirmed (Fig. 3).

Design of Emulation System for Safety DCS

275

Fig. 2. Non-forward request handling process

Fig. 3. Forward request handling process

3.2 Virtual DPU Development The key of physical simulation technology is the virtual transmission of DPU. The development of VDPU shall support cross platforms, which reduces the reliability to a certain software and can be developed on multiple platforms. The software Cygwin can offer a Linux environment in Microsoft Windows system, which is the reason to choose Cygwin as the development software of VDPU. Original code can be written on all popular editors and compiled with GNU-gcc suit which is completely an open-source compiler. At the same time, makefile is used to describe the compiling orders and rules of the project files (Table 1).

276

H. Peng et al. Table 1. Comparison on the development of DPU and VDPU DPU VDPU OS

–

Windows

Chip

rm48 Intel X86 etc.

Development suit

ccs

Cgywin

4 Simulation Functions The simulation functions of virtual DCS include operation status adjustment, data management, virtual hardware and malfunction imitation etc. [4]. 4.1 Simulation States Switching Function Each project has three statuses, running, freezing and stepping. Status can be switched between the three of them at the end of each period, when there is at least one virtual control station online. At the booting time, the simulation project goes into freezing mode immediately, which can be switched to running mode or stepping forward mode manually and goes into freezing mode to wait for the next instruction after the stepping mode is finished. In running or stepping mode, to guarantee the operation status consistency of the whole project, it goes into the current status of the simulation project when a new virtual control station joins into the simulation project (Fig. 4).

Fig. 4. Simulation states switching diagram

4.2 Data Management Function As the Level 1, DCS interacts with the Level 0 processing model and stores some special working condition data. DCS shall have the capturing, assigning, override, saving or reviewing working condition, saving or reviewing backtrack condition etc.

Design of Emulation System for Safety DCS

277

Capturing, assigning and overriding on the variables are all realized by DMS. Capturing variable means to check the value of the variable among the DMS variable list. Assigning and overriding means to change the value of the variable among the DMS variable list. Assigning is one time modification, the value may be override by new calculating result, while override ignores the real-time result and only modify the value to a certain fixed value. Saving or reviewing working condition and backtrack condition are storing and reviewing on the current working condition. Saving working condition needs to manual saving, which is permanent action. While the other one saves automatically, but deletes when the simulation host is closed. Saving information includes the information of virtual control station, simulation project, transmission buffer of DMS etc. 4.3 Virtual Hardware Function When virtualization migrating the virtual DPU, the method on the hardware devices which are directly connected to the DPU shall be designed. The hardware devices connected to DPU include mode switch and output-closed on-off, reset on-off, LCD screen, LED, as shown in Fig. 5.

Fig. 5. Sketch map of simulation system cabinet

Mode switch and output-closed on-offs in physical DPU judge the key status by checking if the related wire is on or not. In virtualization migration, this judgment is modified to check the key’s memory space. Human interface offers the interactive ports which can operate the key on-offs. The reset on-off executes the DPU reset function and the virtualization migration on this switch is similarly as the key on-offs. LCD screen is used to display the running status or warning information and receives the strings that are required to put on the screen from the physical DPU and uses the LCD driver in physical DPU to display the characters. In the virtual system, virtual DPU prepares the components which are ready to be shown according to the actual running status of the system and sends them to DMS, in this way to display them on the human interface. The

278

H. Peng et al.

board’s status is demonstrated on the LED in physical DPU. DPU turns the LED on and off by controlling the voltage level on the hard wire. This process is virtualized as that VDPU sends the light signal to DMS, and DMS controls the on and off of the light. 4.4 Malfunction Simulation Function In physical DPU, as for the malfunctions on the boards themselves inside the DPU, DPU capture the hardware information through self-diagnosis and set the error information. For example, to the power source’s voltage over-high malfunction, DPU compares the pointed voltage and the voltage that is captured by A/D and generates the warning signal, displays warning code on screen and changes related system parameters if the D-value breaks the limit. In the virtualization of this function, two methods are applied. One is to simulate the cause of the malfunction to simulate the error and the other is to simulate the result of the malfunction to simulate the error. Once again taking the power source voltage over-high error for example, simulation system sets the memory space for the VDPU by DMS, changes the hardware information in related VDPU and creates the same malfunction as the physical DPU by VDPU self-diagnose. Users set the voltage value on human interface, in this way to modify the memory component of the power source voltage of VDPU. According to the VDPU self-diagnose, it generates the warning signal if the D-value breaks the limit. Furthermore, it pours out the same warning message on the screen as the physical system and affects the same system variables as the real one. The result based simulation method requires operators to set malfunctions through human interface. VDPU captures the instructions which requires it to related system variables from DMS and generates the same effects as caused by the malfunction on real DPU. 4.5 Function Design of VDPU VDPU shall have the functions like data synchronization, maintenance, master and slave monitoring and periodically execution etc. Among this, data synchronization includes periodically data synchronization, full data synchronization, forced variables synchronization when slave booting, synchronized variables forced data and synchronized parameters modified data etc. During the master and slave running periods, the slave synchronizes the master data periodically, which means the slave one needs to override the related data space with the received synchronized data and in this way to realize the data backup. Data that needs to be synchronized includes static variables, parameter modification frames, forced modification frames. As for the first time power up on the slave, it needs to execute the full data synchronization with the master, including all the forced data, parameter data and algorithm static data in the memory. In maintenance mode, master receives the forced data frame from MTS and forces the variables’ modification. At the meantime, this forced data is also transmitted to slave by the master for the variables modification on the slave. However, the slave does not synchronize data with the master in maintenance mode.

Design of Emulation System for Safety DCS

279

5 Closed-Loop Simulation Verification Virtual DCS and NPP process model together constitute the core parts of NPP FSS. To verify the simulation system based on virtual DCS, the closed-loop simulation system which is constituted by the physical DCS and the process model and the simulation system which is constituted by the virtual DCS and the process model are used to run the same configuration algorithm and compare the results [5]. Regarding the results of the closed-loop simulation system constituted by physical DCS as stands, let the virtual DCS to work at the same situation as the physical one and execute the same tasks and compare the virtual DCS simulation system’s performance by calculating the difference between the results and the stands. Various working conditions in HPR1000 Megawatts PWR NPP are used to describe the verification process. The structure of semi-physical closed-loop simulation system structure is shown in Fig. 6. Process parameters from reactor model are sent to physical or virtual DCS through digital sensor model. The calculation results decide the outputs of the control commands which are working on the control rod model and affect the calculation process of the reactor and the coolant loop. The closed-loop system is as shown in the Fig. 6.

Fig. 6. Semi-physical closed-loop simulation system scheme

The reactor power regulation experiment is taken as an example to verify the system. The NPP power model is established as described in literature [6–8]. In the increasing load simulation experiment, load steps from 25% FP (Full Power) to 45% FP, then steps to 65% FP. The ordinate in the figure means normalized nuclear power. And sp stands for the change of power setpoint. PV-VDCS is the experiment result of the simulation system based on VDPU, while PV-PDCS is that of the physical control system. Record the two kinds of power change trends and make comparison to test the accuracy of the simulation system (Fig. 7). From time 0, VDPU A is the master and VDPU B traces VDPU A using the data synchronization method as described in Sect. 4.5. At the time 290 s, VDPU A is set into error state, and VDPU B is switched to master immediately. From the experiment result, the switch process does not effect on the control process. Another experiment is freezing experiment. Freezing is a simulation function. The experiment is taken by increasing the reactor power from 30% FP to 50% FP, and freeze VDPU after the parameters are stable. From the above analysis, it can be seen that after freezing, the value sent from virtual DCS to the third-party system should be unchanged, but the maintenance station cannot obtain variable values any more since VDPU operation is suspend and thus its connection with maintenance station should be interrupted. The experimental results are indicated in the following Fig. 8. sp stands for setpoint of reactor power, pv-VDCS stands for process value measured by VDCS, pvMS stands for process value measured by maintenance station. The locations indicated by arrows in the figure are time points of freezing begins and operations continues respectively, and maintenance station cannot obtain data between two time points.

280

H. Peng et al.

Fig. 7. Increasing load working condition simulation experiment

Fig. 8. Freezing function simulation experiment

6 Conclusion This paper designs and realizes a set of virtual DCS based on virtual DPU technology, which supports the functions like operation status switching, data management and malfunction simulation etc. In the virtual system, virtual DCS in FSS connects with the

Design of Emulation System for Safety DCS

281

level 0 process model to form the closed-loop system. Taking NPP working condition as example to make nuclear power adjustment experiments, comparing the calculation results of the virtual DCS and physical DCS, the error stays in an acceptable range, which proves the DCS virtualization based on this technology is of great value in engineering applications. This simulation system can be widely applied in the design verification, working condition analysis, malfunction simulation and operators training etc.

References 1. Lin, M., Hou, D., Liu, P., Yang, Z., Yang, Y.: Main control system verification and validation of NPP digital I&C system based on engineering simulator. Ann. Nucl. Energy 240, 1887–1896 (2011) 2. Zhang, X., Deng, Z., Li, J., et al.: Design and verification of reactor power control based on stepped dynamic matrix controller. Sci. Technol. Nucl. Install. 2019, 1–11 (2019) 3. National Energy Administration: NB/T 20015-2010 Nuclear Power Plant Simulators for Use in Operator Training and Examination. Atomic Energy Press, Beijing (2010) 4. Gao, H., Qu, M., Li, Q., Jing, Y.: Research and design on virtual DCS process control platform in nuclear power plant. Comput. Integr. Manuf. Sys. 34(2), 144–149 (2017) 5. Peng, H., Zhang, X., Deng, Z., et al.: Design and verification of virtualization transplantation method for distributed control system. J. Shanghaijiaotong Univ. 53(S1), 118–122 (2019) 6. Sun, Y., Zhang, Y., Pang, Z.: A validation and verification method of I&C software of nuclear power station based on FSS. Comput. Integr. Manuf. Syst. 31(4), 147–150 (2014) 7. Deng, Z., Lyu, X., Jian, Y., et al.: Application of SDMC developed based on SCADE in core power control. Process Autom. Instrum. 40(4), 103–106 (2019) 8. Wang, G., Wu, J., Zeng, B., et al.: Model predictive control method for core power control in pressurized water reactor. Atomic Energy Sci. Technol. 51(3), 480–484 (2017)

Trusted Algorithm Compiler for Safety I&C Software of NPPs Based on Formal Methods Fei Yang1(B) , Lin Lan1,2 , Quan Ma1 , Wen-Xing Han1 , Ming-Xing Liu1 , and Wei Jiang1 1 Science and Technology On Reactor System Design Technology Laboratory, Nuclear Power

Institute of the China, Chengdu, Sichuan, China 2 Harbin Engineering University, Harbin, China

Abstract. The algorithm for the 1E system of NPPs is generally developed by a graph making tool at the engineering station. After the executable file is generated by the compiler and downloaded to the platform software, the credibility of the executable algorithm depends on the credibility of the generated programming code. Therefore, its security requirements put high demands on the compiler. The formal method has been developed rapidly in response to the problem of trusted compilation in recent years. This paper studies the main methodology and key technological components for designing and implementing the trusted compilers, meanwhile emphasize its industrial application based on existing research. The application is optimized, and a new composite compilation architecture is proposed, which reduces the difficulty of proof work and enhances the flexibility of the compiler’s later phase. Finally, several compiler optimization procedures for the security level software NASPIC are studied, and the algorithm compilation is enhanced, as well as the trusted performance of the device. Keywords: Formal verification · Translation validation · Trusted compilation · Credibility

1 Introduction As a typical safety-critical system, nuclear power plant safety level I&C system has extremely high requirements for software security. The chapter 7.2.3 Application - oriented languages and associated automated code generation in IEC60880 pointed out that code generation should comply with the regulations [1], it is clear from previous experience that the security of the software not only relies on the correct design of the function, but also relates to the reliability of the final executable code. Minor errors induced by compilation errors can cause huge hazards. Therefore, the correct code generation must be guaranteed. Reliability is an important part of developing security-level software, and the establishment of a trusted compiler is an important approach to ensure the credibility of the code. “Trust” means that people can trust that the generated code is correct and run directly without modification. “Trusted compiler” not only means that the generated code is correct and credible, but also means that it itself is credible © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 282–291, 2021. https://doi.org/10.1007/978-981-16-3456-7_28

Trusted Algorithm Compiler for Safety I&C Software of NPPs

283

and will not cause other results. In the context of information security, it ensures the confidentiality, authenticity, and integrity of the information (here is the algorithm to be compiled.) transmitted by the software. The traditional methods of constructing trusted compilation and eliminating miscompilation are: 1) Find the compiler errors through a large number of tests; 2) Improve the compiler quality through a strict quality control of the compiler development process in order to reduces the probability of miscompilation; 3) Manually check the generated target code, and use V&V review and other verification methods to find out whether the target code is consistent with the source code [2]. The traditional approach has some defects: 1) the compiler is a software that implements complex symbol transformation. Even if the test is strict, it is difficult to ensure that all the cases of the compilation process can be fully covered. The errors introduced by the compiler are usually concealed errors, which are also difficult to expose in general functional tests; 2) The verification process contains a lot of human factors, and a series of static methods such as model detection and static detection are needed to prove the correctness of the program. It takes a lot of manpower and material resources to solve these problems. In order to fundamentally resolve the issue with compiler credibility, some researchers have carried out formal verification research on compilers. The basic concept of formal verification is to use mathematical methods to prove its correctness or inaccuracy according to certain formal norms or attributes. A major change in the DO178B upgrade to the DO-178C, a key change in the aerospace sector, is the addition of additional formal verification chapters [3]. Maulik summarizes the work of the formal verification compiler between 1967 and 2003 [4]. However, the research during this period can hardly be apply to real world scenario on a large scale. Until 2009, Leroy designed a compiler based on formal verification [5], which translated Clight, an important subset of C, into PowerPC code. It can be directly applied to a wide range of embedded application development. After this subsequent research, other types such as IA32 and ARM are now supported, this compiler is called “Compcert”. X.Yang et al.’s research shows that CompCert is significantly better than the commonly used open source C compiler in terms of accuracy [6]. Another formal method is translation validation, which was first proposed by Amir Pnueli in 1998. The method of translation validation is not to directly verify the compile program, but to model the source and target code of the translation process with a unified semantic framework. Pnueli gave an example of translation validation method for practical engineering, and applied the synchronous data flow language, Signal. Van Ngo, to conduct a more in-depth study of Signal to C translation in 2012 and 2015 [7]. Although formal verification and translation validation have used in some fields, but there is currently no combination of the two in NPPs I&C software field. This paper draws on the successful experience of trusted compiler research, which is, applying the formal method to verify the compiler itself, and developing a compiler that conforms to the IEC60880 requirements, to make the semantics of the compiled executable code and the proven security properties in the source code consistent, and key process code conforms to the language coding specification. The Sect. 2 introduces the practical application scenarios of this paper and selects existing tools for application through comparative analysis. The Sect. 3 introduces the research done on the basis of existing work and

284

F. Yang et al.

proposes a kind of new structure, which compares the certification structure to improve and optimize the translation process based on actual application. The Sect. 4 proposes several optimizations for the compiler in its specific application.

2 Related Background Trusted compilation has been studied in various fields [8–10]. Based on the typical nuclear power industry 1E software NASPIC, developed by NPIC (Nuclear Power Institute of China), this paper carries out the practical application research of the trusted algorithm compiler. In NASPIC, the algorithm software is developed in the form of graphics on the engineering station, and finally the executable file is generated to run in the embedded device. The embedded platform software is generally developed in C language, so the algorithm compiler is divided into graphics. The language is compiled into C language, and then the C language is compiled into an executable file. The graphics itself is not a language, generally, the appropriate container language is selected to convert the graphics logic into language logic. In the NASPIC platform, this work is performed by the engineer station. Completion, the scope of this article is mainly compiled between languages, and the process of graphical translation into language is relatively simple, and will not be discussed in this paper.

Logic

Logic.xml

SCADE Kcg

logic.c

GCC

logic.bin

Embedded Systems

SCADE Fig. 1. Algorithm compilation process

As shown in Fig. 1, before the study in this paper, the process of NASPIC generate C code and compile C code are completed by SCADE KCG and GCC respectively [11]. GCC is an open source C compiler that is widely used in embedded development. Because of its extensive application experience, NASPIC platform software uses this compiler. Compcert is a proven optimization compiler released by French researchers, it is based on the computer-aided proof system Coq development. It divides the translation process into multiple sub-processes and rigorously proves the equivalence between the target code and the source program. X. Yang et al. reported in the paper that they spent 6 years in checking the various errors in the compilers (including VC, gcc, etc.). Only in the verified version of CompCert they found no errors. SCADE is a safety application development environment widely used in safety related fields such as nuclear power, aviation, rail transit, etc. Although SCADE has passed the certification of several safety-grade industrial standards, it mainly uses largescale testing and long-term application. In recent years, SCADE has also done a lot of work in formal verification [12]. The safety-critical system is generally also a reactive

Trusted Algorithm Compiler for Safety I&C Software of NPPs

285

system. The data is continuously obtained from the environment and output by the algorithm software. SCADE introduces a synchronous language LUSTER to describe the system built by the graphics, and the system architecture saved by xml first. Graphic information is converted into system functions described by LUSTER language, and then LUSTER code is converted into C code. Synchronous languages such as SIGNAL, ESTEREL, etc., Yang Zhibin of Nanjing University of Aeronautics and Astronautics use the SIGNAL language to implement safety-critical systems [13]. The team of Wang Shengyuan of Tsinghua University adopted the same LUSTER language as SCADE as the intermediate language to complete the algorithm compilation [14]. Drawing on the idea of the compiler, the characteristics of the LUSTER language were analyzed and the compilation process was divided into multiple stages and executed by COQ tools. L2C* launched the open source project in 2016, supporting the latest LUSTER V6 features. This paper try to replace SCADE KCG and GCC in NASPIC. L2C* and Compcert have initially possessed the ability to be practically applied as tools, but the actual application to the safety level software of nuclear power plants still needs a lot of optimization. Section 3 proposes a new compiler architecture in nuclear I&C field.

3 Trusted Compilation by Formal Methods 3.1 Two Formal Methods The key to a trusted compiler is semantic consistency. The definition of semantic consistency and trusted compilation is defined as follows: if c = Comp(s)

(1)

then c ≈ s ∧ trused (c) ⇒ trused (Comp)

(2)

Where ≈ denotes that c and s satisfy the semantic consistency relationship and can also represent satisfying a certain relationship. trusted is a logical auxiliary word, indicating that the credibility is satisfied. The compiler is trusted as long as it proves that the source program s is consistent with the semantics of the target program c. Based on the semantic consistency, more optimizations are needed for the compiler [15]. The method adopted by CompCert and L2C* can theoretically ensure that the general nature of the source program is maintained unchanged in the target program. However, the way “theorem proves” must prove the specific implementation of the compiler, so any optimization of the compiler will invalidate the original certificate, thus, compiler optimization and upgrade work will be very difficult to do. The method of translation validation only checks the input and output code of each translation stage of the compiler, and does not take into consideration the concrete implementation of the compilation process. Therefore, the translation validation method has good reusability. The shortcoming of the translation validation is that validation program lacks direct proof of the most critical parts, which is the advantage of formal verification. This paper presents a new architecture combines both of formal verification and translation validation in NPPs I&C software field.

286

F. Yang et al.

3.2 Trusted Algorithm Compiler Architecture - Composite Compilation for NASPIC This paper proposes a method that combines “provable compiler” with “translation validation”, called Composite compilation. The first step is to construct a provable microcompiler that do not involve complex optimization operations. Only the most basic compiler conversion operations is implemented in this step, and formal verification is used to prove its credibility. Secondly, the more complex compiler optimization options are separated so that the options can be checked by the programmer depending on the particular scenario. Finally, the “provable compiler” is used to compare and verify the credibility of the optimized and more complex trusted compiler, so as to improve compiler flexibility while ensuring the correctness of the compilation operation (Fig. 2).

Source code

provable compiler

Optimized compiler

Formal verification

Trusted compiler

Executable code

Fig. 2. Trusted compiler structure

The figure shows the overall architecture of the trusted algorithm compiler proposed in this paper. Among them, the micro-provable compiler has a complete compiling function, but only completes the most basic compiling function. Optimization options for code security checks have been added to the Optimized compiler. 3.3 Proof of the Semantic Consistency of the Compiler Consistent with L2C* and Compcert, it can be proved that the compiler proves the consistency of the input and output semantics by using theorem proof. Both L2C* and Compcert divide the compilation process into multiple steps, of which L2C* has a total of 16 processes, and the total process amount of Compcert is 10, the provable compiler of this paper is defined to be small, so only the most important processes are included, such as Lexical analysis, Semantic analysis, Grammar analysis, etc., including clock calculate, normalization, topo-Language-oriented processes such as sorting, higher-ordered operators, etc. [16].

Trusted Algorithm Compiler for Safety I&C Software of NPPs

287

The proof process is completed by Coq Proof Assistant [17]. Coq is a formal proof tool based on high-order logic. It uses the method of reverse reasoning to construct the proof. It represents the whole proof process in the form of terms by using the “inductive structure calculus”. The framework, whose kernel is a checker that checks the type of the item, can check the correctness of the proof through applying a checking algorithm. To prove or verify the correctness of the compilation process, a formal description of the correctness of the compilation process must be given. The actual translation process is completed in multiple stages, among which two intermediate processes marked as S and T can be defined with: ∀ P.property(P) ⇒ property( Comp(P)) ∧ SS (P) ≈ ST (Comp(P))

(4)

The Comp function translates the program P of the intermediate language S into the program of the intermediate language T Comp(P), and the property(P) and the property( Comp(P)) describecharacteristics that the program should satisfy before and after the translation according to different translation processes.SS (P) ≈ ST (Comp(P)) means that all of P’s environment variables have matching objects on Comp(P), and the changes of SS (P) under certain environment can be simulated by the changes of ST (Comp(P)) to the matching environment. Using this approach, the translation process of each stage is connected in series to obtain the semantic retention of the entire translation process, and at the same time, it is guaranteed that SS (P) and ST (Comp(P)) can be obtained normally in each stage. The detailed proof work is more complicated and closely related to the specific processes, which is beyond the scope of this paper. 3.4 Compiled to Ensure the Optimization of the Compiler by Translation Validation Because of the combination of formal verification and translation validation, the complex optimization of the compilation operation process does not need to be proved through a validation process. The validation process is performed by a validator, which can be regarded as a boolean function Validate (S, O), which validates the attribute S≈O, that is, the S and O semantics are consistent. The translation confirmation process can be described as: if Comp(S) = OK(O) ∧ Validate(S , O) = true

(5)

then Comp verified The validator can be implemented in a variety of ways, such as static analysis of the source and target programs, model checking or automatic theorem proving [18]. In general, the validator automatically reports an error when the validation fails, and provides a counter-example path for error analysis. This paper chooses a way of symbolic calculation to construct a validator for translation validation of input and output programs (Fig. 3).

288

F. Yang et al. provable compiler

OK

Validator

Optimized compiler

Symbolic simplification

Input

Output

YES

Equivalence judgment

NO

Alarm

Symbolic simplification

Fig. 3. Translation validation

The code compiled by the provable compiler and the code compiled by the optimized compiler are used as inputs to the Validator, called INPUT and OUTPUT. The validator first converts them into the initial VFG (Evaluating flow graph), and then undergoes symbolic operations and simplification. Finally, an equivalence determination is made, and an OK or an alarm is returned as output. 3.5 Trusted Compilation Optimization Research Upon meeting the basic requirement of ensuring the compiler’s credibility, the credibility of the executable code compiled by the compiler (that is, the compiled object) needs to be further guaranteed. This chapter briefly introduces the code security optimization mechanism adopted by the NASPIC. The introduction of NASPIC, the optimization compiler can be flexibly adjusted, as long as the verification pass can be applied to the security level software and can guarantee that this optimization will not introduce new compilation errors. We enhance the trusted performance of generated code by adding three mechanisms based on traditional compilation operations (Fig. 4). The arrows in the figure indicate the interaction of data, (1) code hierarchy information; (2) type information, operation information, data stream information, etc.; (3) code modification information; (4) intermediate code information; (5) Executable code; (6) comprehensive information; (7) alarm information. 1) Security Enhancement: This mechanism is an integrated implementation of the proposed defense methods for various program vulnerabilities. The code security enhancement mechanism is mainly used to identify and handle some of the common security vulnerabilities in the program. There are many compiler processing techniques for common security vulnerabilities of programs, such as protection against buffer overflow attacks. The translator only guarantees the consistency of the semantics before and after the program. If the security vulnerabilities in the semantics of these programs can be analyzed, using the detailed program structure and operation information extracted during the compilation process to enhance the security of the code will greatly enhance the executable. 2) Credibility verification: After the code security enhancement mechanism enhances the security of the code, the trusted attribute of the code is verified by the code credibility verification mechanism, and the untrusted code that has not passed the verification is alarmed or otherwise processed. Enable programmers to quickly locate the problems and adjust the optimization strategies accordingly.

Trusted Algorithm Compiler for Safety I&C Software of NPPs

289

Code security enhancement mechanism

Lexical analyzer 1

Parser

6

Semantic analyzer Intermediate code generator Code optimization Code generation

2

Code credibility verification mechanism

3

4

5

traditional compiler

7

Alarm mechanism

Executable code protection mechanism Optimization mechanism

Optimized compiler

Fig. 4. Optimized compiler

3) Code protection: In order to prevent an attacker from maliciously tampering with the final executable code generated by the trusted compiler, or analyzing, stealing or modifying it during the code running, the trusted compiler can execute the executable operation after completing the compilation operation. The code protection mechanism guarantees the integrity and usability of the compiled executable code. Encrypt the executable code and utilize the support of the hardware platform to implement the safe operation of the algorithm.

4 Examples and Applications Here is an example to illustrate how it is actually applied: use COQ to construct a provable compiler, write a compiler driver file in ocamal language, provide a parse_command to control whether to use compiler optimization options, and use flag_ocamal_parser to control the use of ocamal syntax parser or coq syntax parser. The core configuration code is as follows: let translate fn = let mfn = fn in let lustre_content = read_whole_file in let ast = if !flag_ocamal_parser then parser_by ocamal lustre_content else parser_by_coq lustre_content in if !flag_print_parse then print_string(PrintTree.lus_output ast) else(); Using which parser is a compiler optimization option. It is more credible to use the COQ parser that has been formally verified, and the test results show that using

290

F. Yang et al.

the ocamal parser is significantly faster. In actual engineering applications, compilation optimization options should be selected comprehensively considering the application scenarios (Fig. 5).

Fig. 5. Compiler

5 Conclusion Based on the security software NASPIC, and combines with Formal Verification and translation validation, this paper studies Trusted compilation and proposes a composite compilation architecture of Composites for NASPIC, which can improve the compiler optimization upon guarantee the compiler reliability, which has practical value under certain circumstance. In addition, several optimization mechanisms for NASPIC software have been proposed, though not being perfectly enough. For example, WCET observation based on executable code can be added. Although tremendous progress has been made so far, the optimization of trusted compilation will still be a long-term continuous work in the foreseeable future. Acknowledgments. Thanks to the advices of the team of Wang Shengyuan, Tsinghua University.

References 1. CEI/IEC 60880:2006, Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions. Geneva: CEI/IEC (2006) 2. Carter, A.-L.: Safety-critical versus security-critical software. In: 5th IET International Conference on System Safety 2010. 2010a Formally Verified C Static Analyzer (2010) 3. Software Considerations in Airborne Systems and E-quipment Certification. RtcaDO-178C (2012) 4. Dave, M.A.: Compiler verification. ACM SIGSOFT Softw. Eng. Notes 28(6) (2003) 5. Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7) (2009) 6. Yang, X.-J., Chen, Y., Eide, E., et al.: Finding and understanding bugs in C compilers, vol. 46, no. 6, pp. 283–294 (2011)

Trusted Algorithm Compiler for Safety I&C Software of NPPs

291

7. Wheeler, D.A.: Countering trusting trust through diverse double-compiling. In: The 21st Annual Computer Security Applications Conference (ACSAC 2005) (2005) 8. Yoo, J., Jee, E., Cha, S.: Formal modeling and verification of safety-critical software. IEEE Softw. 26, 42–49 (2009) 9. Heitmeyer, C., Archer, M., Leonard, E., McLean, J.: Applying formal methods to a certifiably secure software system. IEEE Trans. Softw. Eng. 34, 82–98 (2008) 10. Cantone, D.: Games, automata, logics and formal verification (GandALF 2016). Inf. Comput. (2018) 11. http://www.esterel-technologies.com/products/scade-suite/ 12. Duy, T.C., Binh, N.T.: Parissis, I.: Automatic generation of test cases in regression testing for lustre/SCADE programs. J. Softw. Eng. Appl. 6(10A), 27–35 (2013) 13. Yang, Z.B., Zhao, Y.W., Huang, Z.Q., Hu, K., Ma, D.F.: Time-predictable multi-threaded code generation with synchronous languages. J. Softw. (2016) 14. Wang, L., Shi, G., Dong, Y., Bai, X.-Y., Wang, S.-Y.: Trusted compiler for safe subset of C language. Comput. Sci. 40(09), 30–34 (2013) 15. Shang, S., Gan, Y.-K., Shi, G., Wang, S.-Y., Dong, Y.: Key translations of the trustworthy compiler L2C and its design and implementation. J. Softw. 28(05), 1233–1246 (2017) 16. Ngo, V.C., Talpin, J.P., Gautier, T., Le Guernic, P., Besnard, L.: Formalverification of compiler transformations on polychronous equations. In: Derrick, J., Gnesi, S., Latella, D., Treharne, H. (eds.) Integrated Formal Methods. LNCS. Springer, Heidelberg (2012). https://doi.org/10. 1007/978-3-642-30729-4_9 17. Coq Development Team. The Coq Reference Manual (2016). http://coq.inria.fr/ 18. Howar, F., Margaria, T., Wagner, C.: Simplifying translation validation via model extrapolation. J. Integr. Design Process Sci. 17(3), 71–91 (2014)

Design and Implementation of Translation-Based Virtual DCS Based on Simulink Xu Zhang(B) , Zhi-Guang Deng, Quan Ma, and Ming-Ming Liu Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China

Abstract. The translation-based virtual DCS based on Simulink can realize the function of virtualizing the physical DCS. This paper presents a method to virtualize physical DCS by using Simulink to realize the functions of running, freezing, acceleration and deceleration, setting and acquiring variable values, malfunction simulation, snapping and loading initial conditions, etc. Virtual DCS realizes the configuration translation by translating the configuration files of the physical DCS platform to Simulink platform, generating codes by using the configuration, and compiling the codes into algorithm files. The virtual DCS is combined with process model software to form a closed-loop, which simulates the level control system of the steam generator of a megawatt pressurized water reactor nuclear power plant for verification. Effective results have been achieved, which proves that the translation virtual DCS can meet the simulation effect of the simulator. Keywords: Virtual DCS · Translation · Simulink

1 Introduction The I&C (instrument and control) system can be divided into three levels: Level 0, Level 1 and Level 2. Level 0 is the model and equipment layer, mainly including nuclear power plant process model, teaching and operation platform, sensor and switch cabinet model, etc. [1]. Level 1 is the control layer, mainly including DCS-based controller equipment. Level 2 is the HMI (human-machine interface) layer of the main control room, which realizes functions such as panel instrument, operator station screen display and human-machine interface [2]. Literature introduces that Level 1 simulation mainly includes three methods [3], including simulation, emulation and stimulation. Simulation refers to the reimplementation of the control logic of the simulated object under the new software and hardware platform. This process is usually implemented by translation software [4, 5]. Through translation-based virtual DCS, DCS software and hardware systems are transplanted to general-purpose computers. This process is called translation [6]. This paper designs and implements a set of translation-based virtual DCS, which realizes the simulation function and can form a closed loop with the Level 0 process model to realize the simulation function of the FSS (full scope simulator) [7, 8]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 292–300, 2021. https://doi.org/10.1007/978-981-16-3456-7_29

Design and Implementation of Translation-Based Virtual DCS

293

2 System Design The source DCS platform configuration includes three types: logic, hardware and screen. Among them, there is only a small amount of SVDU for nuclear safety DCS, which is usually considered separately as another system and will not be discussed in depth in this paper. This paper designs a translation-based virtual DCS for logical configuration and hardware configuration. 2.1 Process System Model The general process figure of the translation-based virtual DCS based on Simulink is shown in the Fig. 1. called per cycle source DCS platform configuration

translation software

Simulink model

Simulink code generator

compiler C++ code

configuration static link library（*.lib）

management scheduling software

Fig. 1. General process of translation-based virtual DCS based on simulink

The configuration translation software obtains the algorithm block and its connection relation by reading the configuration file of the source DCS. And then it calls the drawing interface of Simulink software to automatically redraw it on the Simulink platform to form the Simulink model. Then the Simulink code generator is used to convert the Simulink model into C++ code, which is then compiled into an algorithm library file, and then scheduled periodically to realize the algorithm operation in each period. At the beginning of each period, according to the received instructions, the simulation function is executed to realize the simulation functions. In this process, Simulink is only used as the target platform and code generator for translation, and it does not carry out simulation operation. The period time of simulation operation can be completely determined by the scheduling time interval of simulation software. And the period is no longer constrained by the mechanism of Simulink itself. Taking the Simulink model named level1 as an example, the functions included in the level1ModelClass class provided by Simulink are used to carry out model operation or parameter scheduling. The model initialization, step size setting (taking 45 ms as an example) and single-step simulation operation are respectively carried out. level1_Obj.initialize(); level1_Obj.getRTM()->Timing.stepSize0 = 0.045; level1_Obj.step(); The initialization function and the step size setting function can be performed once, and the single-step simulation operation function needs to be called and executed in each algorithm period to realize the algorithm operation in that period. The flowchart of algorithm periodic scheduling is shown in Fig. 2. The first stage is the initialization stage, which completes the reading and analysis of information,

294

X. Zhang et al.

including IO lists of Level 0 and Level 1, Level 1 signal channel configuration table, model header files, Level 0 and Level 1 variable lists, to prepare for subsequent work. Then enter the instruction processing loop, at the same time, establish periodic cycle thread and timing thread, respectively carry out algorithm scheduling and period timing. The instruction processing loop waits for a command sent by a user or a third-party system to set instruction flag and instruction parameters, and transmits the command to periodic cycle thread and timing thread. Periodic cycle thread realizes data interaction between Level 1 and Level 0 every period, updates input values of algorithm operation, executes simulation functions (such as snapping working conditions, etc.), and performs algorithm operation of this period. The timing thread calculates the duration of the current period by comparing with the speed factor, and controls the period length.

starting starting

initialization initialization read read IIO O lists lists of of Level and Level Level 11 Level 00 and

read readd Level L Levell 11 channel channel configuration configuration table, table, model model ode header header e de files files es

data data interaction interaction between between Level Level 11 and Level 00 and Level executes executes simulation simulation functions functions

read read Level Level 00 and and

Level Level 11 variable variable lists lists

command command processing processingg

get get Tick Tick time time

get get speed speed factor, factor, get get

length length of of this this period period

algorithm algorithm operation operation

set set instruction instruction flags flags and and parameters parameters yes yes no no

timing timing thread thread

periodic periodic cycle cycle thread thread

have hhave exiting exiting ii status status

wait wait for for this this cycle cycle ending, ending, start start next next cycle cycle

no no

get get exiting exiting instruction instruction

wait wait for for the the next next

yes yes

set set exiting exiting status status

period starting period starting signal signal

have hhave exiting exiting ii status status yes yes

ending ending

Fig. 2. Algorithm periodic scheduling flowchart

no no

Design and Implementation of Translation-Based Virtual DCS

295

2.2 Configuration Translation The general process of configuration translation is shown in Fig. 3. The translation process is divided into two stages: the analysis algorithm configuration stage and the Simulink drawing stage.

starting

analyze configuration

read configuration

start Matlab and Simulink

analyze blocks and connection relation

open algorithm library

create variables

for blocks and connections

drawing Simulink

draw blocks and lines

ending Fig. 3. General process of configuration translation

In the analysis algorithm configuration stage, the translation software first reads and analyzes the configuration file, obtains algorithm blocks and the connection relation information among them from the configuration. And then, it summarizes the information into an algorithm block summary table and a connection relation summary table. The control algorithm on physical Level 1 platform and Simulink platform algorithm are mapping relationships. That is, each algorithm block and the connection relationship between each algorithm block of each algorithm page on each control station of physical Level 1 platform should be mapped to Sinulink platform according to a certain rule. Create the following two variables to store the configured algorithm block and connections information. Public static Listitems = new List(); Public static ListLines = new List(); Structure Item includes information such as the number of an algorithm block, symbol type, station number, page number, etc. The structure Line includes the station number, starting algorithm block number and connection port number, and ending algorithm block number and connection port number of a certain connection line. Variables items and Lines can represent what the configuration algorithm needs in the translation process.

296

X. Zhang et al.

In the stage of drawing Simulink, start Matlab and Simulink, open the algorithm library, build an empty model, redraw the algorithm block summary table and the connection relation summary table on the Simulink platform, and realize the translation of DCS platform configuration. The above process involves sending various instructions such as add_line, add_block, Execute, etc. to Simulink, through which Simulink can be dispatched to realize the function of redrawing configuration. 2.3 Periodic Control and Fast and Slow Speed Functions Timing thread is started after program initialization to realize timing functions independent of other modules and ensure the accuracy of software period management. Fast and slow speed is expressed in the form of speed factor with an initial value of 1. The initial operation period of the software is the same as that of the main processing unit of physical system. When the speed factor is positive, it means accelerating the specified multiple. When it is negative, it means to slow down to the specified speed. The actual software operation period is formed by dividing or multiplying the absolute value of the speed factor by the original main processing unit period. The timing thread records the signal of the operating system every millisecond, and after judging that the period length of this period reaches the actual period length, generates a signal starting the next period. 2.4 Implementation of Variable Value Setting and Acquiring The input and output variables of Simulink model are stored in two structures, named ExtU_modelname_T and ExtY_modelname_T respectively. Taking the Simulink model named “level1” as an example, the format of the input variable structure is: typedefstruct { real_T In1; real_T SP; } ExtU_level1_T; The value of the output variable will be flushed out by the calculation result after calculation, so there is no need to add the setting variable value function for output variable. After combined with Level 0 to form FSS, the variable value of Level 1 taken from Level 0 is in the same way. The setting variable value function is mainly applied to scheduling with a third-party system or application where virtual DCS is used alone.

Design and Implementation of Translation-Based Virtual DCS

297

The header file of Simulink model (*. h) parsed as a text document (*. txt), recording the sequence of each variable in the structure, and calculating the address of each variable. Its implementation form is to define a pointer in real_T format, point to the initiating terminal of the structure, locate the position of the variable to be operated in the structure, and move the pointer to the variable, thus realizing the operation on the variable. The sample code is as follows: real_T* in_point; in_point = (real_T*)&Level1_Obj.level1_U; in_point = in_point + count; 2.5 Snapping and Loading Working Conditions Function The entire structure type of Simulink model is model name Model Class. Taking the Simulink model named level1 as an example, the functions of snapping and loading are explained. Defines a static variable of type level1ModelClass Level1_Obj. Static level1ModelClass Level1_Obj; The snapping and loading condition is the process of writing or taking the static variable from the physical file. 2.6 Analysis on the Pressurizer Level Control System Hardware simulation refers to the board card and channel number of each signal recorded by the simulation system on the physical DCS, which is the basis for simulating board card or channel failure. Malfunction simulation is used to simulate the situation that the corresponding input and output signal status is bad due to the failure of a board card or a signal path of DCS. Malfunction simulation is implemented by management scheduling software, which obtains the position of each variable in the board and channel through equipment configuration file and variable point table. Third-party systems can obtain or set malfunction information through management scheduling software. When the malfunction is triggered, the status bit of the channel in the management scheduling software is set, and then the status of the variable is set as bad to Simulink model.

3 Case Analysis The virtual DCS is combined with the process model software as the controlled object to form a closed loop to verify whether it has engineering application value [9–12]. Taking the nuclear safety DCS “NASPIC” system developed by Nuclear Power Institute of China (NPIC) as an example, carry out verification experiment.

298

X. Zhang et al.

Two conditions of unit starting and lifting and reducing of load were selected for experimental verification. In the figure, sp represents the reactor nuclear power setvalue, and VDCS and PDCS represent simulation results of the closed-loop system based on virtual DCS and physical DCS respectively. Figure 4–5 correspond to the nuclear power and the pressurizer level regulation process during the start-up process respectively. Figure 6–7 correspond to the nuclear power and pressurizer level regulation process of lifting and reducing of load respectively.

Fig. 4. Power regulation simulation experiment in start-up of reactor

Fig. 5. Pressurizer level regulation simulation experiment in start-up of reactor

Design and Implementation of Translation-Based Virtual DCS

299

Fig. 6. Power regulation simulation experiment in lifting and reducing of load

Fig. 7. Pressurizer level regulation simulation experiment in lifting and reducing of load

The experimental results show that the experimental results of virtual DCS are close to those of physical DCS.

4 Conclusion The translation-based virtual DCS based on Simulink code generator can effectively simulate the operation function of the physical DCS and realize the simulation function of the simulator. The translation method improves the automation degree and universality of the simulation system. The configuration programs for different physical DCS platforms only need to modify the program of the reading part of the source configuration file. A series of configuration file reading programs for major mainstream DCS manufacturers

300

X. Zhang et al.

can be developed to realize the universality for various DCS platforms. By optimizing the simulation system architecture, it can meet the high performance requirements of nuclear safety class main processing unit virtualization. The experimental verification shows that the translation-based virtual DCS based on Simulink code generator has engineering application value.

References 1. National Energy Administration: NB/T 20015-2010 Nuclear Power Plant Simulators for Use in Operator Training and Examination. Atomic Energy Press, Beijing (2010) 2. Zhang, X., Ma, Q., Chen, Q., Wang, K., Peng, H., Liu, G.-H.: Design and optimization of communication in nuclear safety class emulation system. In: Xu, Y., Sun, Y., Liu, Y., Wang, Y., Gu, P., Liu, Z. (eds.) SICPNPP 2019. LNEE, vol. 595, pp. 430–440. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-1876-8_43 3. Yang, S.: Design and development of configuration environment of virtual DCS. North China Electric Power University (2016) 4. Zhang, X., Deng, Z., Peng, T.: Translation type virtual DCS implementation scheme based on simulink code generator. Instrumentation 27(3), 51–55 (2020) 5. Wang, J., Yan, M., Zhang, W., et al.: Study and implementation of virtual simulation technology of OVATION system. Electric Power Sci. Eng. 30(4), 43–47 (2014) 6. Guo, Y.: Development of translation type emulation software for MACSV DCS. Thermal Power Gener. 41(4), 56–58 (2012) 7. Li, F., Hou, X., Zhang, K.: The design and implementation of interface software in CP1000 nuclear power plant full scope simulator. Nucl. Sci. Technol. 7(3), 78–82 (2019) 8. Zhang, X., Xu, H., Wang, K., et al.: Interface design of safety-class instrument control simulation system. Mod. Comput. (17), 69–72 (2019) 9. Zhang, X., Deng, Z., Li, J., et al.: Design and verification of reactor power control based on stepped dynamic matrix controller. Sci. Technol. Nucl. Install. 2019, 1–11 (2019) 10. Lin, M., Yang, Z., Hou, D., et al.: Applying engineering simulator to verification and validation of digital I&C in nuclear power plant. In: 17th International Conference on Nuclear Engineering, pp. 729–733. ASME, Brussels (2009) 11. Hou, D., Lin, M., Xu, Z., et al.: Development and application of an extensible engineering simulator for NPP DCS closed-loop test. Nucl. Eng. Des. 38, 49–55 (2010) 12. Sun, Y., Zhang, Y., Pang, Z.: A validation and verification method of I&C software of nuclear power station based on FSS. Comput. Integr. Manuf. Syst. 31(4), 147–150 (2014)

Testing Verification of Pressurizer Control in Nuclear Power Plant Based on Comparative Simulation Xu Zhang(B) , Zhi-Guang Deng, Hao Peng, and Qi Chen Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China

Abstract. The pressurizer is an important equipment to maintain the stability of primary circuit in nuclear power plant. Pressurizer control system needs to be verified by effective testing. The most popular testing verification method on digital control system (DCS) is the discrete script tests. However it cannot make effective tests on the continuous variable process system. In this paper, a completed testing structure aiming on DCS is designed. The structure includes four levels: discrete script test, simulation test, stimulation test and online comparison test, which are in the progressive relationship, forming the comprehensive design and test system for the DCS. The system is applied to the verification of pressurizer in nuclear power plant. The HPR 1000 MW PWR model and pressurizer control system are used to make the simulation and verification tests. Keywords: Simulation · Pressurizer · Closed-loop · Digital control system (DCS)

1 Introduction Nuclear safety-class DCS (digital control system) works on the reactor and the reactor coolant loop to stop the reactor and drive safety equipments in emergency situations and to keep operating after the accidents. Currently the testing methods on nuclear safetyclass DCS, including functional testing and periodical testing etc., still stay at the pseudo closed-loop stage. The typical testing strategy is to separate the DCS (controller) from the complete and real platform, cut the controller’s connection with the controlled objects (including execution units) and the feedback loops (including sensors). Using certain constructions of input data injection to test the outputs matching the prediction or not. However the above testing methods cannot achieve ideal testing effects for the 3 below situations. For the controlled objects which have strong inertia, the control procedure is continuous. For the DCS platform which has mechanism errors on itself. For the human errors in the outputs predicting calculating.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 301–315, 2021. https://doi.org/10.1007/978-981-16-3456-7_30

302

X. Zhang et al.

To solve the above problems, this paper figures out the DCS design verification method which is based on both of the simulation and stimulation closed-loop imitation, to realize real-time and continuous closed-loop comparison. This method has been successfully applied in the nuclear safety-class DCS specimens’ verifications on the designing and manufacturing processes. The nuclear safety-class DCS intends to be used in HPR 1000 MW PWR (Pressurized Water Reactor). The detail operations of this method are discussed in the following parts. At present, there are many scholars’ research achievements in the field of the design and application on the NPP (nuclear power plant) FSS (full scope simulator). The researches focus on three parts, control algorithm verification, instrumentation and control system design and accident analysis. In the aspect of control algorithm verification, Hua Lin uses Pelap5 and Matlab/Simulink software to modeling the thermal and hydraulic system and power control system of Ling Ao Phase I NPP. The simulation results are similar to the actual tests data in the NPP, which proves the correctness of the thermal and hydraulic system models [1]. Similarly, Xu Zhang makes the verification of the SDMC (stepped dynamic matrix controller) in power adjustment system by constructing the virtual platform for verification and physical DCS for Verification, which also get well verification effects [2]. On the instrumentation and control system design, Dong Hou gives out a closed-loop testing system on the DCS of NPP based on project simulator, including the thermal and hydraulic module, DCS module, grid module and others realized by Relap5. They build the module, simulation module plug-in interface and extensible engineering simulator framework foundation, the three stage system framework [3]. Meng Lin makes a testing system with a suit of hardware and software equipments, which applies the project simulator into the V&V (verification and validation) of instrumentation and control system of NPP. The hardware includes IPC (industrial personal computer) and data capture cards etc., and the software includes thermal and hydraulic module, instrumentation and control system module etc. [4]. Besides, Meng Lin also divides the V&V into three forms, artificial virtual inspection, on-line virtual testing based on engineering simulator and actual STPs (startup test procedures). This theory has been used in the construction process of Ling Ao Phase II NPP [5]. Finally, on the aspect of accident analysis, SUN Yuanzhi uses FSS and highly accurate simulation model to verify the safety and reliability of instrumentation and control software in emergency situations by design various kinds of emergency situations which may affect the NPP operations. This proves the feasible of the instrumentation and control software design verification by FSS [6]. Meng Lin applies the engineering simulator into the SGTR (steam generator tubes rupture) accident analysis. As CHASHMA NPP model for example, they make both of the intervention and non-intervention analysis, which proves that the digital reactor system is the effective tool for NPP simulation and analysis [7].

2 Testing Verification System Design 2.1 Construction of the Testing Verification Structure The testing method in this paper includes four stages, discrete script testing, simulation testing, stimulation testing and online comparison testing. From simple to complicated,

Testing Verification of Pressurizer Control in Nuclear Power Plant

303

partial to global, the four stages testing runs sequentially, automatically corrects the problems found in the procedure. The four stages together form the complete testing system of the NPP DCS. In the four stages, discrete script test is using the open-loop testing theory, while the rest of the three stages are guided by the closed-loop testing ideas. Closed-loop test is the kind of testing method that connects the controlled objects and the controller. In the closed-loop test, the controlled objects output the related parameters to the control logic after the simulation calculation according to the physical model of the controlled objects. Control logic executes the logic calculation after getting the related parameters from the controlled objects and feedback the calculation results to the controlled objects for a new round model testing. Closed-loop test can realize the general verification to the testing objects, including logical verification, interface verification and global function verification. Besides, closed-loop test can realize the dynamic verification nearly approaching the reality of the controlled objects. Compared with the open-loop test, closed-loop test has the advantages of high testing accuracy, large coverage, testing flexibility and high fidelity. 1) Discrete Script Test Discrete script test is a kind of open-loop test, which sends data to the tested DCS and collects feedbacks, then finishes the test by comparing the real outputs with expectations. This testing method has the advantages like convenient to realize, fast running, low cost and easy maintenance etc. But this method is only suitable for the simple logic function test, and the disadvantages are obvious in the continuous controlled objects tests. Besides, this method also faces the problems like hard to compile the testing script and unable to cover all the testing functions. However, these disadvantages can be fixed in the higher stage tests. This method usually realized by another simple DCS, which acts as the testing equipments. The testing equipments are connected to the tested DCS reversely on the inputs and outputs. Each of them transmits data to the other side and receives feedback from the other side (Fig. 1). Tested DCS

Testing Equpiment DCS

Input Module

Output Module

Main Control Module

Main Control Module

Output Module

Input Module

Fig. 1. Discrete script testing method

304

X. Zhang et al.

2) Simulation Test Simulation test is the method that only applies the development environment of the simulation software to finish the simulation test. Simulation closed-loop is different from the open-loop executed by testing script. This testing method does not need the slave computer as the operation environment, all modules can be realized in the host computer software, with the advantages like simple, low cost and short preparation time etc. As a kind of closed-loop test, this method can effectively test whether the software configuration logic can control, protect and adjust the controlled objects or not. However, because of the operation mechanism difference between the virtual and actual DCS, the hardware performance cannot be tested by this method. What’s worse, this method cannot effectively figure out the errors in the platform software, like the DCS operation system. Like the discrete script test, the disadvantages of simulation test can be fixed in the higher stage tests. 3) Stimulation Test Stimulation closed-loop test inserts the real tested object’s software and hardware into the testing closed-loop. Compared with the discrete script test or simulation test, stimulation test has higher fidelity and time-reality. This method can test not only the structure, theory, algorithm and the entire executing process of the entire system, but also the real hardware performance. 4) Online Comparison Test Considering that the above three stages tests run on the same platform, the infrastructure problems caused by the adjustment strategy, operation system or bottom compiling of the platform may not be find effectively. Based on diversity theory, using cross platform method can reach the target of multiple and general comparison verification, which means to use another suit of platform system to replace the logic calculation of DCS, and in this way to verify the DCS platform itself. The detail process is a combination of simulation and stimulation closed-loop testing method. This method can test the DCS software and hardware in deep and comprehensive ways, to make sure the correctness and determinacy of the DCS product. 2.2 Testing Software Design In the NPP DCS testing system, both of the stimulation system based on DCS and the simulation system based on the testing software are designed according to the general input, and communicated with the process system model. The above control strategy is realized as engineering software in maintenance station, and compiled to the execution program and downloaded to the slave computer. Similarly, according to the general design the control strategy is realized as the test engineering software and compiled to the execution program (Fig. 2). In order to have better reference, general and reliable platform software shall be used as the testing software. The control logic of DCS is constructed by two parts. One is the control logic that realizes the protect and control functions based on the general design input. The other is additional logic parts based on the properties of the DCS platform itself, like the self-diagnosis. Testing software treats the general design as the input, aiming to realize the control logic required by the general design, while ignoring the logic parts required by the DCS platform.

Testing Verification of Pressurizer Control in Nuclear Power Plant Testing DCS

Application Design Analog Graph/Logic Graph/ IO List

Testing Script

Execution Program (Another DCS-Slave Computer)

Application Software Maintenance Station

Execution Program (DCS-Slave Computer)

Simulation Application Software Platform Simulation Platform

Execution Program (Simulation Platform)

DCS

Online Compare

305

Process System Model

Fig. 2. Testing verification system scheme

The design process of the testing software and its engineering software shall take fully consideration of the diversity principle, which means the algorithm library of the testing software, periodical dispatch mechanism, platform mechanism etc. are all different from the physical DCS platform. Besides, the design inputs of the engineering configuration software on the testing platform do not rely on the files generated during the design process of physical DCS. They can be used to compare because there is no intersection between them.

3 Process System Model As the physical process system is often huge and expensive, and sometimes dangerous, usually it is replaced by the technology system model software in the closed-loop simulation system. The process system model is formed by system identify or mechanism modeling according to the mathematical properties of the physical process system. And the properties of the system transfer function are given by the software. The process system model is the abstraction and digitalization of the physical process system. As for the PWR NPP process system model [8], the outline structure is shown in below Fig. 3.

Governor

Adjusting Valve

Steam Turbine

Steam Generator

Reactor

Coolant Pump

G

Coodenser

Master Feed Water Pump

Fig. 3. PWR NPP process system model

This process system model shall include thermal-hydraulic model, neutral dynamics model and reactivity model etc. [8, 9].

306

X. Zhang et al.

The pressurizer level and pressure model is built according to reference [10]. Both of the pressurizer level and pressure integrating element without self-balancing capability or integrating element with first-order inertial. Using model recognition method to build the pressurizer’s mathematical model (Fig. 4).

Heater Power ph

Pressure P

G11(s)

G21(s)

G12(s)

Charging Valve vs

Water Level W

G22(s)

Fig. 4. The block diagram of mathematical model of controlled objects of pressurizer

where P is the pressure of pressurizer, W is the water level, ph is the power of the heater, vs is the charging value. With the least-squares identification, the transfer functions are obtained as below. The pressure transfer function with heater disturbance: 9.9804e − 8 (MPa/kW) s

G11 (s) =

The water level transfer function with heater disturbance: G21 (s) = −

8.51e − 5 (%/kW) s(23.5s + 1)

The pressure transfer function with charging valve disturbance: G12 (s) =

1.917e − 6 (MPa/%) s(19.203s + 1)

The water level transfer function with charging valve disturbance: G22 (s) =

2.5202e − 5 (%/%) s(33.354s + 1)

Thus, the transfer matrix of the pressurizer system is figured out as below. ⎡ ⎤ G(S) = ⎣

1.917e−6 9.9804e−8 s s(19.203s+1) 2.5202e−5 8.51e−5 − s(23.5s+1) s(33.354s+1)

⎦

The process model of the pressure and water level of the pressurizer are built according to the transfer matrix.

Testing Verification of Pressurizer Control in Nuclear Power Plant

307

4 Experiment Verification To verify the effectiveness of the testing method in this paper, one example is used. In the example, the NASPIC system, which is the nuclear safety-class DCS platform designed by NPIC (Nuclear Power Institute of China), is chosen as the controller. The HPR 1000 MW PWR model is used as the controlled object process model. Simulink is the testing software in this example. This control system includes power control system, pressurizer water level and pressure control system, steam generator level control system, steam discharge control system and steam turbine control system [8]. 4.1 Closed-Loop Imitation System Design The controller in the closed-loop simulation system can be made by physical control system or testing software. The closed-loop stimulation system constructed with the physical control system and the process system models shown in Fig. 5. Control system is realized by the slave computer and the rest parts like the maintenance station, process system model and sensor model are realized by host computer software. Software running on the host computer interacts with each other in terms of the communication methods between software progresses, while the software connects with the slave computer through analog and digital I/O modules [11–13]. Host Computer Scpoe

Operator Station （Setpoint） Feedback Channel/ Sensor Model

Maintenance Station

Process System Model

DCS AI/ DI

MPU

AO/ DO Slave Computer Scope

Fig. 5. The closed-loop stimulation system constructed with the physical control system and the process system model

The closed-loop simulation system constructed with the testing software and process system model which have data exchanges is shown in Fig. 6. All parts of the closedloop can be running on normal host computer. There is no need to download to special controllers. As all parts of the closed-loop are computer processes, they can interact with each other through the communications methods between the processes and in this way to build the simulation system. The simulation of feedback channel can be fixed into process system model. The transfer function of process system model together with the

308

X. Zhang et al.

transfer function of sensor model form the general transfer function. Testing software calculates the control value after receiving the calculated data through the feedback loop, then sends the value to the process system model to realize the control target. Host Computer Scope

Setpoint

Feedback Channel/ Sensor Model Testing Software

Process System Model

Fig. 6. The closed-loop simulation system constructed with the testing software and process system model

The closed-loop imitation system constructed by simulation or stimulation method both can imitate the closed-loop data exchange between the controller and the controlled process system model. 4.2 Analysis on the Pressurizer Level Control System During the process of pressurizer level adjustment, real-time measured value of the water level, measured value of the coolant’s average temperature and measured charging value need to be captured, filtered by filtering function and then controlled according to cascade PID control strategy. In general design, the working logic of pressurizer level control system is shown in below Fig. 7. Pressurizer level measurement

Charging flow rate measurement

Average temperature measurement

Filter

Filter

PID

PID Position set point of the charging valve

Fig. 7. Design of pressurizer level control system

Within certain degree of temperature, the coolant temperature is linear with the coolant level. According to this, the coolant temperature is firstly transferred to liquid level, then get the deviation with the measured value of pressurizer level to make PID calculation. Then get the deviation between the result and measured charging value to make PID calculation and finally achieve the position set point of the charging valve.

Testing Verification of Pressurizer Control in Nuclear Power Plant

309

In the experiment of closed-loop stimulation, real-time control system (NASPIC) and process system model together to form closed-loop stimulation system. According to the control strategy from the general design, combining the property of the platform to draw the application software on maintenance station software (NASPES), and generate the execution program for the slave computer. The DCS configuration logic of pressurizer level control system is shown in below Fig. 8. Pressurizer level measurement AI Para Para Para Para

Charging flow rate measurement

Average temperature measurement

AI

AI Para

x1 y1 x2 y2

Para

false

Para Para

Para Para

Para

FI

Kp Ti Td Tf

Kp

MAN_ON

R G T

T

FI

d/dt T

MAN

Para

false

Para

Para Para

Para

R G

V S1 S2

Para Para Para

Kp Ti Td Tf MAN_ON MAN

Para Para

Kp

d/dt T

V S1 S2

AO

Para Position set point of the charging valve

Fig. 8. DCS configuration logic of pressurizer level control system

The execution program is downloaded into the slave computer through the maintenance station and exchange data with process system model. In this way to form the closed-loop control structure and realize the stimulation on actual working conditions. In closed-loop simulation experiment, the control algorithm from Simulink software exchanges data with process system model to form the closed-loop simulation system. Also, according to the general design, the engineering application software is generated on Simulink platform. Still take the pressurizer level control system for example, the related logic on Simulink platform is shown as below Fig. 9 Simulink software interacts with process system model to form the closed-loop simulation system, and in this way to simulate the real working conditions. 4.3 Analysis on the Simulation Results The working condition of joint simulation experiment is set as that, in payload tracing mode, according to the requirements from power grid, the output power of the reactor needs to be decreased. The setpoint of the reactor output power steps from 80%FP (full power) to 60%FP, after a certain period of stable to 40%.

310

X. Zhang et al. Pressurizer level measurement

K

1

PID(s)

T.s+1 FI1 Average temperature measurement 2

PID Controller1

PID(s)

1

Position set point of the charging valve PID Controller2

K T.s+1 FI2

Charging flow rate measurement 3

K T.s+1 FI3

Fig. 9. Pressurizer level control system in Simulink

During the test, taking reactor output power, pressurizer level and pressurizer pressure as observed parameters, to compare the experiment results deviations between simulation system and stimulation system, as shown in below figure. Y coordinates of the three graphs present the normalization value of the nuclear reactor power, pressurizer level and pressurizer pressure. X coordinates present the simulation time. SP is the setpoint of the power. Stimulation stands for the experiment results of the stimulation system constructed by the real DCS. Simulation stands for the experiment results of the simulation system based on Simulink. 4.3.1 Reactor Hot Start-up Simulation After flushing, air-release, deaerating, heating and pressuring up of the reactor coolant system, pressurizer forms the vapour space and reaches the rated temperature. Followed by decreasing the temperature and pressure, and raising the control rod to start the reactor until it reaches the critical state. Comparison of the simulation results is shown in below Figs. 10 and 11. 4.3.2 Continuous Payload Change Simulation Continuous payload change simulation is running in the payload tracing mode, making the power adjustment by decreasing the set value of the reactor output power, according to the requirements from the grid. The set value of the reactor output power steps from 70% of the full power to 50%, then jumps to 30% after a stage of stabilization. Frechet distance is a kind of description method to judge the similarity of two curves based on the space path similarity. According to the space distance of the path, to make more efficient evaluate on the similarities of two spatial temporal curves. Tuple (S, d) is a measurement space, where d is the measurement function of S. A and B are two continuous curves in S, which means A:[0, 1] → S, B:[0,1] → S. Assume that α and β are two re-parameterization functions, which means that α:[0,1] → S, β:[0,1] → S, then the Frechet Distance F(A, B) of the curve A and B is defined as below: F(A, B) = inf max {d (A(α(t)), B(β(t)))} α,β t∈[0,1]

(1)

According to above distance, the calculation results of the physical DCS and Simulink platform are in below Table 1.

Testing Verification of Pressurizer Control in Nuclear Power Plant

(a) Relative nuclear reactor power

(b) Relative pressurizer level

(c) Pressurizer pressure

Fig. 10. Result of reactor hot start-up simulation

311

312

X. Zhang et al.

(a) Relative nuclear reactor power

(b) Relative pressurizer level

(c) Pressurizer pressure Fig. 11. Result of continuous payload change simulation

Testing Verification of Pressurizer Control in Nuclear Power Plant

313

Table 1. Frechet distance of the two imitation results Status

Frechet distance Power

0%–20%FP

Level

Pressure

5.4394e−004 7.0817e−004 2.3783e−005

70%–50%–30%FP 1.6017e−004 7.0916e−004 2.0368e−004

From the comparison of the two testing results, it can be figured that the testing platform constructed by Simulink is highly consistent with the physical DCS. This proves the testing method is correct. 4.4 Algorithm Logic Check Example Analysis The general logic of the reactor emergency trip judgment strategy is that the four protection channels make judgments on a certain common protection parameter, such as the steam generator (SG) level. Each of the four protection channels separately decides whether it is out of limitation or not by comparing the SG level with the threshold. At the mean time, each channel analyzes the same information shared from the other 3 channels and generates its own trip signal. During the voting process for the trip signal between the four channels, 2 out of 4 algorithm is applied. There are two types of 2 out of 4 algorithm blocks, turning to action and turning to no action. The operation mode tending to safety protection should be selected according to the actual situation. When the qualities of the four inputs are all good, both of the two types make the 2 out of 4 judgments. Both of the two types degenerate to 2 out of 3 algorithm when there is one bad input. At the situation of two bad inputs, the first type degenerate to logic or, while the second one degenerate to logic and. With only one good input or less, the first type takes action directly, while the second takes no action at all. In the project design, the two types are sometimes incorrectly used together. Comparison tests of simulation and stimulation are able to find such errors conveniently. As presented in Fig. 12, the first four lines represents the four channel signals of the reactor protection system SG level low-low, 1 stands for low-low while 0 for not low. The fifth and sixth line means the reactor shut-down signals in the channel of simulation system and stimulation experiment system, 1 stands for not shutting down while 0 for shutting down. Time is presented on the horizontal axis and measured in second. In the overall design, the algorithm block of 2 out of 4 shall choose the sort of degenerating to action. Due to the mistake operation of the engineer in the physical DCS system, the algorithm block is set as degenerating to non-action, so stimulation system has the same error. As a comparison, it is correctly set in the simulation system. All of the four protection system channels are functioning well at the beginning of the experiment. At the time of 100 s, 2 out of 4 logic degenerates to 2 out of 3 because of the malfunction and bad quality bit of the analog input module from the protection system channel 1. The arrow in the figure shows this malfunction. At the time of 200 s, the malfunction and bad quality bit occur on the protection system channel 2, which

314

X. Zhang et al.

makes the simulation system degenerating to logic “or” and the stimulation system to logic “and”. At the time of 250 s, SG level low-low signal comes from channel 3. When it happens, the simulation system generates the reactor shut-down signal in its channel while the stimulation system doesn’t. Thus the design fault is discovered according to the comparison of the two systems.

Fig. 12. Reactor trip response comparison experiment

By comparing the results of two simulation experiments on line, the error logic can be forewarned.

5 Conclusion The design of the configuration control algorithms of physical closed-loop stimulation system constructed by physical DCS is completely separate with that of the closed-loop simulation system based on Simulink, without any interactive reference, which fits the diversity criterion and is able to find the mechanism problems of the DCS platform through the comparison. This testing method avoids the human mistakes caused by the certain kind of inputs calculated by humans. Besides, the testing process is highly automatic. This testing method is proved to be effective according to the applications of the DCS specimen’s designing and manufacturing process, which is used in HPR 1000 MW PWR NPP.

Testing Verification of Pressurizer Control in Nuclear Power Plant

315

References 1. Lin, H., et al.: Modeling of reactor power control system and closed loop verification. Nucl. Power Eng. 30(4), 96–99 (2009) 2. Zhang, X., et al.: Design and verification of reactor power control based on stepped dynamic matrix controller. Sci. Technol. Nucl. Install. 2019, 1–11 (2019) 3. Hou, D., Lin, M., Xu, Z., Yang, Y.: Development and application of an extensible engineering simulator for NPP DCS closed-loop test. Ann. Nucl. Energy Nucl. Eng. Des. 38(1), 49–55 (2010) 4. Lin, M., et al.: Applying engineering simulator to verification and validation of digital I&C in nuclear power plant. In: 17th International Conference on Nuclear Engineering, pp. 729–733. ASME, Brussels (2009) 5. Lin, M., Hou, D., Liu, P., et al.: Main control system verification and validation of NPP digital I&C system based on engineering simulator. Nucl. Eng. Des. 240, 1887–1896 (2011) 6. Lin, M., Su, Y., Hu, R., Yang, Y.: Research of SGTR accident simulation and analysis by engineering simulator in nuclear power plant. Atom. Energy Sci. Technol. 39(3), 240–245 (2005) 7. Sun, Y., Zhang, Y., Pang, Z.: A validation and verification method of I&C software of nuclear power station based on FSS. Comput. Integr. Manuf. Syst. 31(4), 147–150 (2014) 8. Wang, G., et al.: Model predictive control method for core power control in pressurized water reactor. Atom. Energy Sci. Technol. 51(3), 480–484 (2017) 9. Deng, Z., et al.: Application of SDMC developed based on SCADE in core power control. Process Automat. Instr. 40(4), 103–106 (2019) 10. Qian, H., Zhou, L., Fang, Z.: The research on decoupling control in pressure and water level of PWR pressurizer. Nucl. Sci. Eng. 37(1), 5–11 (2017) 11. Hou, D., et al.: Development and application of nuclear power plant DCS closed-loop test platform. Nucl. Power Eng. 32(4), 66–71 (2011) 12. Zhang, X., et al.: Interface design of safety-class instrument control simulation system. Modern Comput. 25(17), 69–72 (2019) 13. Gao, H., Qu, M.M., Li, Q.: Research and design on virtual dcs process control platform in nuclear power plant. Comput. Integr. Manuf. Syst. 34(2), 144–149 (2017)

Optical Fiber Communication and Wireless Communication Technology Oriented to Internet of Things Xiao-Chen Yang1 , Zhen-Yu Yan1(B) , Zeng-Jun Chun2 , and Lai-Long Zou2 1 China Nuclear Power Co. Ltd., Shenzhen 518116, Guangdong, China

{yangxiaochen,yan_zhenyu}@cgnpc.com.cn

2 China Nuclear Power Co. Ltd., Shenzhen 518116, China

{chunzengjun,zoulailong}@cgnpc.com.cn

Abstract. The technology of Internet of things based on RFID has begun to play an increasingly important role in modern communication. according to the characteristics of system communication is an emerging networking technology and its application in modern communication system, the research analyzes the intelligent power grid planning and construction, according to the needs of modern communication technology, play advantage, put forward the application scheme of the Internet of things in power communication system, construction of basic network platform can carry out various types of services using EPON optical communications, wireless communications and other modern communications technology (network layer), carrying a variety of business data, voice, video and so on; combined with the technology of RFID, realize the communication management of RFID substation integrated monitoring system, the spare parts warehouse management system, computer room management system based on RFID. RFID computer room intelligent management system using RFID automatic identification technology and network and software platform of integrated equipment management system and the background of the front end of the RFID hardware equipment, equipment data room will focus to the control center is set through the network transmission, and storage, processing, real-time monitoring data to show, cabinets and other important business assets monitoring to provide faster, more carefully, more accurate daily management. From the point of view of the perception layer and network layer of the optical communication technology (optical fiber communication and wireless communication) the current status and Prospect of application in the Internet of things. Keywords: Optical fiber communication technique · Wireless communication technique · Internet of Things

1 Introduction The Internet of things (Intemet of Things) the earliest concept by American Massachusetts Institute of Technology auto ID Center (MIT Auto-ID Center) proposed in © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 316–331, 2021. https://doi.org/10.1007/978-981-16-3456-7_31

Optical Fiber Communication and Wireless Communication Technology

317

1999 [1]. In 2009, IBM CEO PengMingsheng (Samuel Palmisano) first proposed the “wisdom of the earth” (Smarter Planet) concept, this concept was put forward, which are highly concerned about the American from all walks of life, “the wisdom of the earth” is expected to become another “information highway” plan, set off to the Internet as the core technology and economy. In 2009 August, “the perception of speech China” research and application development of the Internet of things in China to a climax, the same year in November, China Mobile and Wuxi City Hall signed “TD-SCDMA and promote the integration of things” cooperation framework agreement, the research scale with a “Chinese” label things then had been kicked off. At present, the definition of international networking is: through the RFID, infrared sensors, GPS, laser scanners and other information sensing device, according to the agreed protocol, to anything connected with the Internet, information exchange and communication, to achieve a network of intelligent identification, positioning, tracking, monitoring and management. The future of the Internet of things is to establish a set of sensor networks, communication networks and the Internet a large heterogeneous network, through the network everywhere, to the world of objects and objects, people and things, between man and nature in any time, any place connected and information exchange [2]. Optical communication technology mainly refers to the wired communication (i.e., optical fiber communication and wireless communication technology,) is highly creative, permeability and drive [3–6], as a means of access to full coverage, combining with the Internet of things, will bring the advantages and great application value in industry, agriculture, military, environment, medical and other traditional areas of home health care, transportation, and other new areas. At present, China’s optical communication technology development has been more mature, the Internet of things terminal with mobile access has been in research and development of optical communication technology, the application in the Internet of things, both to the distance of the Internet of things monitoring, maintenance, management and operation, and through the terminal communication means flexible and cheap, the communication of the tentacles extend to every corner of the world, to further promote the application of optical communication technology in the Internet of things and the deepening. At present, in the Internet of things technology of optical communication modes of the application, including (Wireless Sensor (Network, WSN), wireless optical communication technology in short distance WiFi; range wireless communication technology, GPRS, 3G, 4G mobile communication technology of equal length. Development and application of the future development of the mobile communication network will promote the network to the target, the whole industry chain development at present, the major mobile operators have been actively involved in the Internet of things, push the animal networking with mobile network, the Internet of things and the value of the function in the communication technology, wireless communication network, mobile the terminal equipment is fully reflected in the combination of near distance. Although the Internet technology is not mature, functional scope of the composition and structure of different, but with the application of the Internet of things and the optical communication technology, the wireless communication network will be the development trend

318

X.-C. Yang et al.

in the future, the future of the Internet of things will be in the optical communication technology based on wireless network. The university in American carried out a lot of work in wireless sensor networks. Among them, DARPA of the Massachusetts Institute of Technology, engaged in the research of wireless sensor networks with very low power consumption; DARPA support of Auburn University, engaged in a large number of self-organizing sensor network research, and developed some experimental system in mobile self-organized system; network protocol, sensor network application layer design, system research Laboratory of computer Binghamton University have done a lot of research work; in the mobile network based on IP and self-organizing network, Cleveland State University (Ohio) mobile computing laboratory conducted a lot of research work combined with wireless sensor network technology. In addition, in the wireless sensor network, Wireless Sensor Network Laboratory of National University of Singapore has done a lot of research work. In addition to scientific research institutes and universities, the famous foreign enterprises have participated in the research of wireless sensor network. One of the pioneers of the research on wireless sensor network in the world, wireless sensor network hardware products crossbow company owned by many (including IRIS, MicaZ, Imote2, TelosB, Cricket), the Crossbow and sensor equipment giant Honeywell, hardware equipment manufacturer Intel, the software giant Microsoft, network equipment manufacturing giant, the famous university of California at Berkeley so to establish a cooperative relationship with wireless sensor solutions for thousands of Large Firm around the world and more than 2000 colleges and universities. In addition, in the field of wireless sensor networks, TI, a maker of microprocessors Ataiel also invest a lot of money and research strength. These studies are of wireless sensor networks for further development and commercialization of solid foundation [7–10].

2 The Basic Structure of the Internet of Things The Internet of things by using hierarchical structure model, which is composed of Internet of things perception layer, network layer and application layer, as shown in Fig. 1, the networking architecture of three layers model is more consistent with the expected people to the Internet of things, the Internet of things in each level, will have many options [11].

Fig. 1. Hierarchical structure of Internet of things

Optical Fiber Communication and Wireless Communication Technology

319

The perception layer is the lowest level of organizational networking organization, is the foundation of the Internet of things, mainly to complete the data collection and perception of information, the perception layer includes RFID system, sensor network, gateway, M2M terminals, to realize the goods information through RFID electronic tags, sensors, M2M acquisition terminal. The network layer in the middle of the Internet of things perception layer and application layer, has the function of long distance transmission and data information management, the application layer data transmission of information collected from the perception layer to network layer of the Internet of things, including a variety of communication networks, including GPRS, 3G, 4G Mobile communication network, Internet, satellite network and the wired communication network. The upper layer application layer belongs to the Internet of things, the application and processing of information data collected by the perception layer.

3 The Scheme of Things and ITS Application in Electric Power Communication System 3.1 Cable EPON+ Wireless Communication Solution In the area of network communications solutions, mainly put forward to realize the combination of wired and wireless, wired with advanced EPON technology, using Win technology to realize wireless. Technical difficulties of the main consideration is the safety protection, and to prevent the overflow of the wireless signal. In the early stage of the project of science and technology of process encountered the following problems: the detailed design of the 1 cable EPON, according to the specific business point of the field of cloth and put on the design of North Tangshan, the specific business and business point location is not clear, especially the layout of each business point of the substation location uncertainty (temperature transfer station, video and other services); power supply 2, ONU; 3, OLT location is on the shelves, power supply interface and optical interface and electrical interface. Based on the above issues, the wired network in substation is proposed by using advanced EPON technology, in the engine room double backup configuration OLT large capacity, taking into account factors such as easy maintenance and reliable operating environment R, put the location of all the shelves of all the cloth used, taking into account the needs of Science and technology project of wide frequency band, large transmission capacity, no electromagnetic interference and electrostatic interference, no crosstalk interference, strong confidentiality and other functions of the interface, power supply and so on the interface optical interface higher overall performance. Taking into account the protection ability of the demand is higher, therefore, the EPON terminal using industrial grade ONU, the ONU with dual PON protection ability, high reliability, ONU distribution based on considering the requirements of the business. ONU is currently mainly have the following several kinds of power supply scheme: (1) General Electric Power: when IAD will stop working immediately, the user only can communicate with mobile phone, PHS and other alternative means of communication.

320

X.-C. Yang et al.

(2) The elevator standby power: IAD and building elevator share a power line. Electricity is relatively common, electric elevator, there are certain that, under normal circumstances would not cut. (3) Battery: built-in battery backup for the IADONU configuration in the UPS corridor equipment or equipment. (4) For spare room far from residential room layout: the extra power line to the device location (usually a corridor), from the engine room to supply IAD. A corresponding increase in the capacity of standby engine room, in order to meet the power room itself and the IAD equipment of the power supply [12]. Considering the need of power operation in substation, substation and communication room has two sets of DC power supply and battery capacity, selection of communication equipment room power supply and battery backup DC power distribution panel two power supply modes, so the project of science and technology, in order to ensure the operation of 2NU. In the design of wireless coverage in the 802.11b/g 2.4 GHz WiFi means, the wireless device with small power plate integrated unidirectional antenna coverage to the station, around the back, through the metal net cover to prevent the overflow of the signal, and multiple encryption to ensure the security of wireless network. 3.2 Optical Fiber and WiFi Wireless Networking Solutions In order to solve the problem of fiber reached the place of signal coverage problems, put forward to solve the problem the whole communication network by wireless WiFi, mainly uses the wireless AP coverage area, AP can be connected through the existing optical fiber communication, carrying voice, mobile video, WiFi voice to speak a variety of wireless topology shown in Fig. 2.

Fig. 2. Wireless topology

Optical Fiber Communication and Wireless Communication Technology

321

The first layer is the access layer, the user terminal equipment and data access to the wireless network through the AP, AP devices through the wireless channel in addition to upload data to the wireless uplink convergence devices, wireless connection device via cable or optical fiber transmits the data to the data aggregation switches, all user data aggregation of the treatment. The second layer is the network layer, the lower the access convergence data centralized processing. Considering the security of the network, the wireless access to the network security equipment set up between the network service layer, such as network analysis to isolate and filter or firewall, wireless access layer into the data, to meet higher security requirements. The use of dual frequency of 2.4G and 5.8G AP equipment, covering the antenna with 2 4G level 90 degree directional antenna, the radio beam can control in the power field, the signal strength in the field is ensured, and the site of the wireless signal strength as small as possible. 3.3 The Construction of Network Load to Determine the Way (1) The environmental monitoring. Immersion sensor in the indoor temperature and humidity sensor and water distribution, real-time monitoring and installation of base stations to achieve the indoor temperature and humidity, flooding and other information. Schematic was shown in Fig. 3.

Fig. 3. Schematic diagram of the structure

(2) The condition monitoring of substation equipment. Through the construction of the network to realize monitoring and upload the state information of electrical equipment, including equipment hot spot monitoring, lightning arrester action frequency monitoring.

322

X.-C. Yang et al.

(3) The mobile video service. Mobile box multi communication technology, multi service support of the male in the wireless network, with voice, data, video data interface. (4) The management and inspection of assets. Asset management and inspection mainly use the RFID tag, and the data transmission and exchange through the communication network construction. RFID asset management system by the device of electronic label, handheld terminal and background management software, through the handheld terminal for information queries, recording equipment, upload function. 3.4 The Realization of Intelligent Communication Computer Room Management and Spare Parts Management System RFID and sensor networking technology and multi network fusion technology based on the intelligent management of substation communication room, spare parts warehouse and terminal data rooms of multiple objects. Through the construction of the 3D visualization of integrated monitoring platform, to achieve the project involved in the engine room environment monitoring, dynamic monitoring based on RFID technology and equipment monitoring function. The main construction contents include substation communication environment monitoring system, engine room monitoring system, substation communication machine room equipment management system in RFID, the spare parts warehouse management system, the integrated monitoring platform based RFID room. The solution is mainly physical information, location information, assets of room access control, equipment status, history, intelligent room asset monitoring and management, comprehensive management of computer assets unified interface, unified, unified database under the network. The scheme of RFID technology on the cabinet and equipment and other fixed assets with RFID electronic tags based on RFID identification equipment installation, room inside the entrance and cabinet, combined with equipment management and monitoring platform, real-time update equipment comprehensive visual and information, can use and flow monitoring equipment. The management of computer room monitoring system using network architecture, divided into control layer, communication layer and the application layer of the three parts. The monitoring layer consists of RFID tags, RFID reader, antenna and other components of automatic monitoring system of assets, at the same time, through the portable terminal system, but also can realize the artificial management; network layer, from within the substation LAN network, network protocol mainly uses TCP/IP protocol; application layer, including equipment online communication module, front-end and back-end database management interface module. Through the overall design of the system, realize the information of physical assets, room location information, access control, equipment status, history, intelligent room asset monitoring and management, comprehensive management of computer assets unified interface, unified, unified database under the network. RFID room management system is designed for real-time monitoring of spare parts, various types of real-time display, application of radio frequency identification

Optical Fiber Communication and Wireless Communication Technology

323

(RFID) technology, the electronic label, special equipment fixed electronic tag reader and computer network, application software etc. Computer room management system mainly includes the management of access control, real-time monitoring, alarm management, log management. Access control management is to integrate the RFID reader, antenna and alarm access doors on both sides of the room door, and out of the staff and spare parts for access control and alarm; real-time monitoring by using fixed reader and antenna for cabinet real-time read electronic tags attached to the spare parts, real time read the information transmitting real-time display to the data center, the cabinet monitoring system devices are connected as shown in Fig. 4.

Fig. 4. The cabinet system connection diagram

Alarm management in real-time monitoring process, such as the loss of spare parts and other anomalies, while the real-time alarm; log management is a real-time monitoring and alarm of abnormal information in n system in chi.

4 Application of the Perception Layer of the Optical Communication Technology in the Internet of Things 4.1 Application of Optical Fiber Sensing Technology in the Perception Layer The sensor can sense the surrounding environment changes in real time, so on and environmental monitoring in the Internet of things perception layer using wireless sensor network. Optical fiber sensing technology is a kind of light as the carrier with the development of optical fiber and optical fiber communication technology and the rapid development of sensor technology, a new optical fiber as the transmission medium of the external signal, a field it belongs to the photon and bearing information transmission waveguide photonic technology [13]. The basic principle of optical fiber sensing technology is the wave propagation in the fiber, light changes the amplitude, phase, polarization, wavelength and other characteristic parameters of temperature, pressure, displacement, electromagnetic field, rotation and other external factors change, thus the sense variation of physical quantity, the working process of the optical fiber sensor is from the light source the light through the optical fiber to the modulator sensing function, the influence of physical parameters to be measured (modulation) optical characteristic parameters will change, become the signal modulation, and then through the optical fiber to the photo detector, photoelectric conversion and demodulation, obtain the measured physical quantity, such as the use

324

X.-C. Yang et al.

of the polarization properties of fiber. Indirect measurement of the current through the Faraday rotation angle measurement in optical fiber sensing, optical transmission and if part of the sensor with fiber for functional optical fiber sensors, this sensor is very suitable for distributed sensor networks. The optical fiber sensor and the traditional sensor has higher detection sensitivity, because of the sensing and transmission are used in the optical signal, not subject to electromagnetic interference and radiation effects, and can be used for high pressure, high temperature, electromagnetic interference and other adverse conditions, at the same time, the fiber material of light weight and small volume, with good flexibility and toughness, can the optical fiber sensor based on detection needs to be made into any shape at the same time, along with the study of optical fiber sensor, people found that the special treatment of the fiber grating can be made of a variety of chemical substances, detection of fiber grating chemical and biochemical sensors, the optical fiber sensor with a wide range of applications in various industries. Optical fiber sensing technology and optical fiber communication technology combined with network and array sensor system is an important development direction of the optical fiber sensing technology, based on the optical fiber sensor and conventional communication optical cable splice, formed two kinds of function of transmitting real-time characteristics and advantages of optical fiber with broadband characteristics, at the same time, various sensors can be multiplexed in an optical measurement of target, has unique advantages and application of the optical fiber sensing technology in the perception layer. 4.2 Application of Wireless Optical Communication Technology in the Perception Layer Application of each level in the Internet of things are indispensable to the wireless communication technology, close to the development of wireless communication technology and the improvement of information and communication, the Internet of things in the perception layer is the reliable guarantee of Technology [9]. In the Internet of things sensor network is the key to connect the physical world and information world, sensor networks will become things of the “last mile” access, only wireless communication network can realize the omnipresent help the existing sensor network access technology. Wireless optical communication technology is a product of the optical communication technology and wireless communication technology combined with the light, due to the higher frequency than radio waves, the wavelength ratio of short wavelength radio waves. So the wireless optical communication bandwidth is WiFi of 104 times, 100 times of 4G mobile communication, information transmission rate is 10–155 Mbit/s, support any protocol, to meet the short distance and long distance wireless communication applications, can solve the high-speed access to a variety of business “last mile” problem, with the application of wireless optical the communication technology, the future can be embedded wireless optical communication device contains a wireless router, communication base station, WiFi access function of the chip in the articles, articles will have a high speed wireless access function, both in daily life, construction sites and any harsh environment, as long as the light source can communication. Wireless optical communication network as the transmission channel of wireless sensor network information fusion is more close to the Internet at any time, any place, any person, any matter

Optical Fiber Communication and Wireless Communication Technology

325

can smooth communication in ubiquitous network, will become one of the major wireless communication technology of the Internet of things is adopted, at the same time for telecommunication network operators traditionally, wireless optical communication network system can be used as a supplement and base station backhaul link connected with the cable transmission system. 4.2.1 The Application of Wireless Communication Technology in RFID System (1) Between reader and tag the short distance wireless communication. The RFID system consists of electronic tags, reader, antenna and RFID middleware, the backstage application system. Reader and electronic tags through short distance wireless communication links. Electronic label is divided into passive, active two. Currently on the market of electronic tags in tag based, while the passive electronic tag read-write wireless signal coverage is relatively short. Therefore improving the induction ability of RFID system, expand the coverage of RFID system is an urgent problem to be solved. At present, the RFID system is mainly used for short distance communication technology of to the Institute of electrical and Electronics Engineers IEEE 802 represented by 15.4 [14–17], operating in the 2.4 GHz frequency, 2.4 GHz belongs to the industrial scientific medical (ISM) band, is the whole world can use license free band is RFID frequency, the key support of the Ministry of industry, wireless as the communication distance is greater than 1 m, the typical case is 4–6 m, the maximum can reach 10 m or more. (2) The wireless access RFIDreader and a network layer of the reader through the gateway devices to access the Internet of things. The network layer, gateway equipment is a dual to the equipment function, RFID reader through the short distance wireless communication will transport goods data information to the gateway, the gateway device transmits the data to the network layer, gateway devices can also be from the application layer information such as customer requirements through close down wireless communication is transmitted to the RFID reading and writing device, gateway device to a RFID system and network layer collaborative work and the role of integration. At present, it is also exploring the reader directly integrated wireless communication module, the reader directly to make an intelligent terminal as the mobile communication networkV, wireless access network layer and mobile phone, read write access to extend the distance and network layer. The corresponding gateway equipments, can also be directly integrated in the wireless communication module. In summary, RFID system and wireless communication technology to construct a real-time sharing of information network goods [13, 14].

326

X.-C. Yang et al.

(3) Safety and interference in wireless communication. In RFID system, a reader can read multiple tags information [15], the electronic tag information of the interference between the conflicts in wireless transmission, the collision of RFID anticollision problem is the main problems and difficulties facing the development of radio frequency technology (9). At present, take the space division multiple access technology, smart antenna technology, reduce the collision problem of radio frequency identification. Radio electromagnetic interference and the problem of information security is the main defect of wireless communication faces, so in the RFID system, spread spectrum, frequency hopping and the information encryption and authentication of wireless communication technology to improve the security of wireless transmission link of RFID system. 4.2.2 The Application of Wireless Communication Technology in Wireless Sensor Networks The traditional wireless sensor network (WSN) refers to the “integration of randomly distributed sensors, data processing unit and communication unit of tiny sensor nodes, wireless network by self-organizing way constitute” [18]. There are all kinds of structure of WSN, the hierarchical structure of WSN, as shown in Fig. 5, the means of communication between WSN node belongs to short distance wireless communication, the transmission distance can reach 100 m, between nodes by multi hop manner will be sensed data to the cluster head in wireless communication distance, and then by the cluster head will gather information through the cable IP sent.

Fig. 5. Structure of wireless sensor network (WSN)

The size of the WSN can be extended infinitely in theory. But in fact, due to the short distance transmission of WSN nodes, the hierarchical structure of WSN can increase the range of services, but the complex hierarchical will lead to transmission delay increases, the cost increase, but there will be limitations of wired communication wiring, so only by WSN itself and the wired IP is difficult to truly achieve the “ubiquitous” idea. In the development of WSN in recent years, more and more attention to the integration with the wireless communication technology, introduces a kind of thought here, the

Optical Fiber Communication and Wireless Communication Technology

327

wireless network as the WSN access IP network channel, at the same time between WSN and network layer, an intermediate layer, this layer is composed of the WSN gateway mode (mode Sink among them, WSN), wireless sensor network gateway with the top node (cluster head) function, at the same time with the wireless access terminal of a cellular network, which plays the role of integration of mobile communication network and wireless sensor network, WSN network and the joint via a cellular network with wireless communication transmitting information WSN to the Internet, which constitutes the “ubiquitous” ubiquitous network. The current research on the gateway node function and access protocol is a hot research topic in the Internet of things. The gateway node integrated wireless communication module, terminal effect and the characteristics of mobile communication network, is one of the problems of WSN and network layer fusion, at the same time it is also exploring the mobile communication base station or mobile phone terminal feasibility as a gateway node, it also has great effect on the expansion of the capacity of sensing nodes. It is worth noting that, there is a reenactment of the mobile communications industry standard management terminal and access protocol. IP sensor network is currently the research focus on, especially with IPv6 as the core of the next generation of the development of the Internet, IP address allocation for each sensor [19], it can through the mobile phone, computer terminal devices wirelessly without gateway nodes connected directly across all communication between sensors, whenever and wherever possible and items. In addition, all the characteristics of WSN wireless communication mode between nodes with wireless communication, such as encryption security, meet the channel congestion, the collision problem of node in the process of information transmission, the development of special communication protocol to solve the problem of wireless sensor network [20].

5 Optical Communication Technology Application in the Network Layer in the Network 5.1 Optical Fiber Communication Technology Application in the Network Layer in the Network The application layer perception layer of the collected data through the wired network or wireless network to the Internet of things, the wired communication mode in optical fiber communication technology, optical fiber communication network for large communication capacity, immunity to electromagnetic interference, suitable for long distance transmission, easy to installation and transportation, especially broadband access can be achieved 20 THz the requirements of data transmission, very suitable for the Internet of things. In some companies, such as the establishment of coal, electric power inside, oil and aviation network, in order to ensure the reliability, stability and security of data transmission, the optical fiber communication transmission mode, but the wired connection from the line to deploy and environmental constraints, it is difficult to satisfy the complex network access at any time, any place requirements. Although the wireless communication flexible access, but its limited bandwidth limits the rate of information transmission, so in the Internet of things to the optical fiber transmission and wireless

328

X.-C. Yang et al.

transmission combination, to maximize the use of the advantages of both is a problem need to be discussed in the development of the Internet of things [21]. 5.2 Wireless Communication Technology Application in the Network Layer in the Network In order to ensure the timeliness of information application, selection of wireless communication network for the Internet of things network layer is to achieve things and objects, people and things, between man and nature in any time, any place of the connection and exchange of information and the important guarantee of the target. China’s mobile communication network operation has a high degree of maturity, the network coverage in the country everywhere, things directly using the existing wireless communication network as the network layer, making things convenient deployment, reduce the construction cost, improve the efficiency of information transmission, and the development of mobile networking equipment to provide a good foundation. Mobile communication network will be the main means of access to the Internet of things. The narrow band GPRS 2.5G in China has mature operation for decades, high network reliability, the base station covers a wide range, suitable for networking and ubiquitous network requirements, but the GPRS data transmission rate is the highest value of 115 kbps. With the development of Internet of things, the Internet of things in people and things, things and objects, data communication and machine will increase, will greatly exceed the current people and traffic, and GPRS satisfy the items of information data can’t increase the future of the Internet of things, will cause the transmission congestion, the current 3G network technology provide up to 2 Mbps data transfer rate, as the growing networking data services provide support and protection. 4G LTE (Long Term Evolution) technology as a result of the use of multiple input multiple output orthogonal frequency division complex transmission technology and data transmission rate, the highest value of up to 201 Mbps, increased bandwidth. Compared with 3G, 4G bandwidth is 20 MHz, is 10 times that of 3G, 4G LTE is a full service data, data rates increase significantly less, network, network deployment and maintenance cost reduction, data transmission is more suitable for the Internet of things growing, from the fundamental solution to the congestion problem of information transmission, while the LTE system support IPv6 protocol, can allow the terminal enough, provides the feasibility of networking and mobile terminal development. It is worth pondering, the existing security mechanism of mobile communication network is the communication between people, when using the mobile communication network in the Internet of things, things a large increase in the data information will cause network congestion in the transmission, so the security protocol for mobile communication network of the future should be added to objects and objects, the communication between man and material part. According to the characteristics of mobile communication network to the Internet of things to adjust and supplement of the security mechanism of Internet of things, should be able to provide network management, business management, mobility management, service quality management, safety management, location services, authentication, billing [10] and management ability.

Optical Fiber Communication and Wireless Communication Technology

329

6 The Wireless Terminal of the Internet of Things Research and development of mobile networking terminal is one of the focus of future development of the Internet of things. The network layer network for the Internet of things is to achieve things and objects, people and M2M (machine to machine) is a method of communication between the two machines, is one of the current Internet application form. Its main idea is shown in Fig. 6. General manager of the famous China communications experts, Shanghai Communication Co. Ltd. Mr. Qi Qingzhong pointed out, M2M will become the core of LTE application of in a number of years.

Fig. 6. Schematic diagram of M2M

The M2M device is able to answer some of the equipment in the data contained in the request or to be sent automatically included in the data in the device the device, M2M technology is the key machine of machine wireless communication device, the realization method of GPRS /3G is through the /4G communication module is embedded into the M2M device, the M2M device with wireless communication capabilities, or M2M chip embedded in the mobile phone terminal, mobile phone into a set of integrated intelligent communication, perception and information processing terminal. The above two methods can achieve networking and wireless access terminal. But the Internet of things as the terminal of mobile communication network, the terminal management mode must conform to the mobile communication network, mobile communication network terminal management model is built on the basis of the existing in human communication, so for the Internet of things terminal management also requires operators to develop a unified model.

7 Conclusion In the Internet of things the future course of development, combined with the application of optical fiber sensor and optical communication technology is an inevitable trend, the optical fiber sensor can be used to measure more than 70 physical quantities, the optical fiber sensor can be applied to daily life, every corner of the construction site and any harsh environment on people’s need for information collection, transmission requirements of high bandwidth, high data transmission rate and the advantages of optical communication

330

X.-C. Yang et al.

technology is very suitable for the Internet of things through the massive data, and highly sophisticated mobile communication network, can be achieved between objects and objects, objects and people, between people and people between the ubiquitous information real-time data exchange and processing. The application of optical fiber sensors, the fusion of optical communication technology and the mobile communication network will enable networking deployment more flexible and convenient, reduce the construction cost, improve the efficiency of information transmission, provided good foundation and development of networked devices for mobile internet. Wireless optical communication technology, the mobile communication network is the basic condition of the development of wireless networking, and mobile networking based terminal research and development. Wireless communication and mobile communication network reliability problems, safety problems caused by open channel, such as multipath, Doppler effect, the near far effect, mobility management, channel allocation problem, for these problems, the wireless communication technology and protocol has the corresponding to deal with. Now the wireless communication technology and mobile communication network based on the Internet of things, because of the multilayer structure of the Internet of things and every aspect of the choice of things, but there are a lot of special safety problems of its own, its own security problems such as sensors, electronic tags, so to develop a unified networking at all levels, standard protocol and technology standard is the key to the future development of the Internet of things and difficult to solve.

References 1. Cont, J.P.: The Internet of things. Commun. Eng. 4(6), 20–25 (2006) 2. Advancing the internet of things for global commerce [EB/OL], 03 July 2014 3. Yang, Z.H.J., Xiao, Q., Yu, R.R., et al.: China mobile: comprehensive practical application on the internet of things. World Telecommun. 2009(11), 40–42. (in Chinese) 4. Wu, C.J., Yan, C.H.X., Gaozh, L.: Overview of space laser communications. Chin. Opt. 6(5), 672–680 (2013). (in Chinese) 5. Lin, H., Zhou, P.C.H., Wang, F.F., et al.: Fast response organic light-emitting devices for optical communication. Chin. J. Lumin. 34(1), 73–77 (2013). (in Chinese) 6. Chen, G.F., Wang, Y.J.: Optimization time sychronization in cross-layer service for WSNs. Opt. Precision Eng. 21(12), 3231–3238 (2013). (in Chinese) 7. Chen, R.M.: Analysis of ubiquitous/internet of things/sensor network and other communication network relation. Mobile Commun. 34(8), 47–51 (2010). (in Chinese) 8. Bohnert, K., Gabus, P., Nehring, J., et al.: Temperature and vibration insensitive fiber-optic sensor. J. LightwaveTechnol. 20(2), 267 (2002) 9. Li, H., Chen, H.J.: Key technology and application prospect of the internet of things. Forum Sci. Technol. China 1, 81–85 (2011). (in Chinese) 10. Xie, C.H.F., Sun, Y., Gao, X.Y.: Convergency strategy of sensor network and telecom network. Telecommun. Sci. 25(12), 9–12 (2009). (in Chinese) 11. Ning, X.F., Zhang, C.H.Y., Wan, W., et al.: Research and design of Internet of things architecture based on LTE system. Comput. Appl. 30(6), 6–9 (2010). (in Chinese) 12. Welbourne, E., Battle, L., Cole, G., et al.: Building the interact of things using RFID: the RFID ecosystem experience. IEEE Internet Comput. 13(3), 48–55 (2009). (in Chinese) 13. Song, H.Y., Zhao, H.Q.: Data collection solution design and implementation of distributed reader in EPC network. North China Univ. Techol. 20(1), 22–26 (2008). (in Chinese)

Optical Fiber Communication and Wireless Communication Technology

331

14. Shan, C.H.G., Ma, H.Y.: Coding and decoding technology of Manchester code of Type A IC car. Commun. Technol. 2003(3), 51–52 (2003). (in Chinese) 15. Zhu, J.W., Wang, Y.: Carrier’s views on the general architecture and evolution of IOT. Telecommun. Sci. 26(4), 1–5 (2010). (in Chinese) 16. Guo, Y., Zhang, S.H.Y., Sun, Y.F.: Research of key technologies and unresolved questions of internet of things. Comput. Technol. Dev. 20(11), 180–183 (2010). (in Chinese) 17. Qi, Q.Z.H.: The Internet of things and M2M business strategic thinking. ZTE Commun. 16(1), 3–5 (2010). (in Chinese) 18. Shen, C., Srisathapornphat, C., Jaikaeo, C.: Sensor information networking architecture and applications. IEEE Pers. Commun. 8, 52–59 (2001) 19. Tilak, S., Abhu-Gazhaleh, N., Heinzelman, W.R.: A taxanomy of wireless micro-sensor network models. ACM SIGMOBILE Mobile Comput. Commun. 6(2), 28–36 (2002) 20. Chen, H., Megerian, S.: Efficient data collection through compression-centric routing. In: IEEE GLOBECOM, no. 9, pp. 1–6 (2006) 21. Luo, H., Liu, Y., Das, S.K.: Distributed algorithm for en route aggregation decision in wireless sensor network. IEEE Trail. Mobile Comput. 8(1), 1–13 (2009)

Research on Reliability Design of PROFIBUS Fieldbus System in Conventional Island of Nuclear Power Plant Xin- Nian Huang(B) , Heng Li, Xiu-Sen Chen, and Xiao-Yu Liu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. With the application and development of DCS control system technology in nuclear power projects in recent years, Fieldbus technology is gaining more and more attention of power generation groups. However, the application of fieldbus technology in the field of nuclear power is only at the primary stage. The main reason is that the requirement of high reliability of Nuclear Power Plant limits the development. This paper analyses the structure and typical faults of the fieldbus control system based on PROFIBUS technology, identifies the potential issues of the PROFIBUS fieldbus control system in conventional island of nuclear power plant and proposes a method to enhance the reliability of the fieldbus control system. Specific requirements are proposed on the redundancy design, diversity design, bus network segment design, bus equipment procurement, bus equipment installation and other aspects so that possible solutions could be provided for the reliability design and application of fieldbus systems in nuclear power plants. Keywords: Nuclear Power Plant · Conventional island · Fieldbus system · Reliability

1 Introduction Since the first million-unit fieldbus control system was put into operation in Niederhausen Power Plant in Germany in 2002, the application of fieldbus technology has brought a great change to the power plant control field. Huaneng Jinling Power Plant’s two million units are the first units in China to implement fieldbus technology on large scale in nuclear power project and were successfully put into operation in 2009 and 2010, respectively, which attracted the attention of domestic power plants and power generation groups. Fieldbus technology can provide a large amount of equipment data for the operation and maintenance of the power plant, thus greatly improving the overall management accuracy and enhancing control intelligence ability of the power plant. With the application and development of DCS control system technology in nuclear power projects in current years, DCS control system has been able to provide relatively mature fieldbus interface, which has laid a foundation for the application of fieldbus © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 332–340, 2021. https://doi.org/10.1007/978-981-16-3456-7_32

Research on Reliability Design of PROFIBUS Fieldbus System

333

technology in nuclear power industry [4]. However, the application of fieldbus technology in the field of nuclear power is still at the primary stage yet, which is restrained by the requirement of high reliability of Nuclear Power Plant. Therefore, to strengthen the exploitation and utilization of the fieldbus control system has become the most concerned topic in the industry. Based on the analysis of common faults of the fieldbus system, this paper puts forward a new method and practices to improve the reliability of the fieldbus from the perspectives of fieldbus system design, equipment selection and field installation.

2 Typical Fault Analysis The network topology of the fieldbus control system based on PROFIBUS technology is illustrated in Fig. 1, in which DCS card, as a master station, has access control over the bus. Each instrument and actuator in the field is a slave station, They are the responders in PROFIBUS bus system communication, They cannot actively send out data requests, but can submit local diagnostic information and exchange data with the master station. And optical fiber is used for connection. Twisted pair and optical fiber are used as transmission medium of the bus system for the field is far away from DCS cabinet, all bus devices of the field bus are connected by twisted pair.

Fig. 1. Structure of bus control system

334

X.-N. Huang et al.

Common factors affecting the reliability of fieldbus control systems are analyzed as follows, mainly from installation and equipment problems. 1) Single Slave Station Failure The slave station equipment of the field bus control system is basically installed on the site, and the site environment is relatively harsh, such as high temperature, humidity, vibration and electromagnetic interference, etc. which will affect the service life of the field equipment. When a slave station breaks down, it will send a large amount of fault information to the master station through the bus. If there is a bottleneck in the data transmission somewhere in the bus communication link, it may cause network congestion and prevent communication between all slave stations and the master stations [1]. Therefore, the data transmission capability of bus communication links should be fully considered when evaluating and selecting bus equipment. And in the operation stage, perform in troubleshooting and handling measures. 2) Disconnection of transmission medium The topology structure of PROFIBUS fieldbus is successive structure, the nodes will inevitably lose communication with the bus system when transmission medium disconnection happens anywhere in the bus system. Therefore, the redundant design of the link should be considered when designing the bus communication link. 3) Attenuation of transmission signal The bus system signal will be attenuated during transmission, so the distance is limited, Can only cover a certain geographical area, this is also determined by the topology of the bus and the characteristics of PROFIBUS bus cables. Therefore, the length of the bus should be reduced within a reasonable range during design. In addition, surface oxidation will occur when the twisted pair is used for a long time, which will increase the contact resistance and may also attenuate the transmission signal. Therefore, optical fiber transmission should be used in bus network segments with large distance. 4) EMI influence Compared with conventional level signals and current signals, fieldbus signals are more easily affected by electromagnetic interference in complex environment which is the most common fault in the application process of fieldbus system and needs to be fully investigated in the design, installation and debugging stages. It is necessary to minimize the influence of electromagnetic interference on bus system from the angles of terminal resistance, cable shielding and cable laying. How to reduce faults and interferences and improve the reliability of fieldbus control system in practical application is the key issue we consider.

3 Discussion on Systematic Solutions 3.1 Redundancy Design of Bus Control System Fieldbus control system inherits the feature of DCS system reliability in many aspects. DCS system adopts high redundancy configuration, redundant communication network, redundant CPU card, redundant backplane bus, redundant power supply, etc. in its design

Research on Reliability Design of PROFIBUS Fieldbus System

335

to ensure that any individual equipment failure and the overall control function of the system can operate normally. Nevertheless, taking the scale and cost of DCS cabinet into account, IO cards and on-site communication links cannot be configured redundantly as shown in Fig. 2.

Fig. 2. Difference between conventional system and fieldbus system

The fieldbus control system actually inherits the design of redundant communication network, CPU card and power supply, and it is also an extension of the application of redundant backplane bus. The fieldbus control system extends the cabinet backplane bus to the Instrumentation, realizing the redundancy of the whole link. From the redundancy design perspective, the redundancy of the fieldbus control system is more thorough, thus improving the overall redundancy and reliability of the system. The change of redundancy design benefits from the characteristics of fieldbus technology. Both field intelligent instruments/actuators and fieldbus communication cards support redundant communication interfaces, making the redundancy configuration of all links of fieldbus finally realized. Nevertheless, this will not cause a large-scale increase in the cost of the control system [2]. 3.2 Bus Control System and Conventional Control Diversity Means During the application of fieldbus technology in Conventional Island of Nuclear Power Plant, the application scope of fieldbus should be determined according to the development level of PROFIBUS fieldbus technology and the engineering application experience, so as to achieve the goal of maintaining safe and stable operation of the unit. Mature

336

X.-N. Huang et al.

technology should be considered for the control of important equipment. Fieldbus technology should be adopted on this foundation. Various control methods complement and promote each other. A complete Nuclear Power Plant control system should have a variety of control strategy choices. At present, nuclear power plants in operation in China mostly use traditional hard wiring for data exchange between field equipment and servers. In order to realize data exchange with an independent subsystem far away from electronic devices, remote I/O devices can be used to exchange data in remote IO devices with DCS servers through the data bus of DCS internal protocol. This paper focuses on the increasingly mature PROFIBUS fieldbus control system, which connects the intelligent devices in series and exchanges data with DCS server through PROFIBUS bus protocol. These three control methods can usually coexist and complement each other. The scope of Nuclear Power Plant Conventional Island and BOP system to be included in the fieldbus is determined according to the following principles: 1) Fieldbus technology is applied to the auxiliary system of the second Loop system, which is relatively concentrated in Conventional Island. 2) In principle, DCS conventional control mode is adopted for equipment used for important protection, interlocking and automatic adjustment of units. 3) Fieldbus equipment is mainly applied to pressure transmitters and integrated MotorOperated Valve with relatively mature bus technology. 4) DCS conventional control mode is adopted for equipment with immature bus technology such as switching value instruments, Solenoid Operated Valve, RTD, TC, etc. 5) For the 10kV Pump of Conventional Island system and its protection signal instruments, which involve the protection of important equipment, DCS conventional control mode is adopted. 6) High and low pressure feed water heater system bypass valves and filter bypass valves of Conventional Island are used for emergency opening when High and low pressure feed water heater system or filter is blocked, involving power reduction of the unit and adopting DCS conventional control mode. 7) The extraction stop valve of High/low pressure feed water heater system and Deaerator-gas stripper system, which prevent the Turbine, and DCS conventional control mode is adopted. 8) Condenser vacuum instruments and vacuuming equipment, involving Condenser faults and Not Applicable, adopt DCS conventional control mode. 3.3 Design of Fieldbus Network Segment Based on Function Allocation Principle The network segment allocation of fieldbus equipment should take the DCS CPU level function allocation result as the foundation, and the following principles should be applied. 1) Redundant actuators allocated to the same CPU should be allocated to different DP network segments of the same Cabinet-Control cabinet.

Research on Reliability Design of PROFIBUS Fieldbus System

337

2) Redundant instruments allocated to the same CPU should be allocated to different PA network segments of the same CPU, and should be allocated to the same DP network segment. 3) It is advisable to allocate the same bus device controlling Loop system to the same DP network segment. 4) It is advisable to assign bus devices with similar locations to the same DP network segment. 5) The control system shall reasonably configure the number of buses and the attached field equipment according to the process design, so as to ensure that when any bus fails, only local failures of the process system will occur, which will not cause the critical state of the unit, and limit this influence to a minimum. 6) This paper gives a system-level function allocation scheme (see Table 1 for details). Each is listed as a function subgroup and each area is a control station. Based on reasonable system-level function allocation, the loss of one station will not lead to unit shutdown. 7) Losing a network segment under a station will not cause direct power reduction and equipment damage. 8) Losing a network segment or a device, DCS maintains system stability and automation level by setting default values for important signals. For downlink instructions, the field device-bus Motor-Operated Valve cannot set the default value and can be directly controlled through ESD hard wiring). For uplink data, DCS can set the default value to maintain the system security state.

3.4 Network Segment Design Based on PROFIBUS Fieldbus Technology 1) 2)

3) 4) 5)

6)

7)

8)

Profibus-DP networks must be configured with dual network redundancy. The communication rate of Profibus-DP network should be set to 500kbit/s, and the transmission distance of DP bus in a network segment should not be greater than 400m. If the transmission distance is too long, optical fiber transmission should be considered between electronic equipment and local bus communication box [5]. A DP/PA coupler with a DP dual network hot backup redundant interface should be used. Y-link coupler with DP dual network hot backup redundant interface should be used. Optical fiber transmission components, DP/PA couplers and Y-link couplers shall be set in the local bus communication box, and the PA bus distribution box should be set close to the field equipment [7]. The terminal resistance of DP network shall be set in the local bus communication box and shall not be set at the field equipment to avoid the loss of terminal resistance of the whole DP network due to equipment damage [8]. The fieldbus communication box shall be located at the near end of the bus network, and the fieldbus equipment with dual redundant interfaces shall be located at the far end of the fieldbus network. The same DP network segment shall keep the shielding grounding of the entire network segment continuous and single-ended grounding at the near end. The shielded

338

X.-N. Huang et al. Table 1. System-level function allocation scheme

System

Subgroup 1

Subgroup 2

Subgroup 3

Condensate extraction system

No. 1 condensation pump and its accessory equipment

No. 2 condensation pump and its accessory equipment

No. 3 condensation pump and its ancillary equipment

Condensate vacuum system

No. 1 vacuum pump and its accessory equipment

No. 2 vacuum pump and its accessory equipment

No. 3 vacuum pump and its accessory equipment

Low pressure feed water heater system

Bypass valves of No. No. 3A/4A heater, No. No. 3B/4B heater 1/2 heater and No. 1/2 heater 3/4 heater

Low pressure feed water recovery system

NA

The water recovery system corresponding to 3A/4A heater

Feedwater deaerating tank and gas siripper system

NA

Deaerator-gas stripper Deaerator-gas stripper liquid level protection liquid level protection (channel 1) (channel 2) and utilities in deaerator-gas stripper

Electric feedwater pump system

No. 1 FeedWater pump and its accessory equipment

No. 2 FeedWater pump and its accessory equipment

No.3 FeedWater pump and its accessory equipment

High pressure feed water heater system

No. 6/7 bypass system

6A/7A heater

6B/7 heater

Auxiliary cooling water system

No. 1 cooling water heat exchanger

No. 2 cooling water heat exchange

No. 3 cooling water heat exchange

Closed cooling water system

No. 1 closed cooling pump and public equipment

No. 2 closed cooling pump

No. 3 closed cooling pump

Other auxiliary systems

Start-up FeedWater System

Main steam drainage system

Hot water production and distribution system

9)

The water recovery system corresponding to 3B/4B heater

grounding of different DP network segments should be independent of each other. When different DP network segments share the adapter box, the shielded grounding of different DP network segments should be prevented from being shorted in the adapter box [6]. The same PA network segment shall keep the shielding grounding of the whole network segment continuous and single-ended grounding at the local adapter box. The shielded grounding of different PA network segments should be independent of each other. When different PA network segments share the adapter box, the shielded grounding of different PA network segments should be prevented from being shorted in the adapter box.

Research on Reliability Design of PROFIBUS Fieldbus System

339

10) The shielded grounding and protective grounding of fieldbus equipment (slave station) should be independent of the shielded grounding of the network segment and shall be grounded nearby on site. 3.5 Selection of Bus Type Intelligent Equipment 1) Instruments and equipment using PROFIBUS communication technology shall provide equipment that has been registered and certified by the Fieldbus Association in addition to stable and reliable performance and meeting the requirements of the process. 2) Instrumentation and Control equipment adopting PROFIBUS communication technology should adopt equipment with PROFIBUS DP-V1 and above communication protocol interface or equipment adopting PROFIBUS PA communication protocol interface. 3) Controlled slave stations of important process systems should adopt equipment with redundant PROFIBUS DP interfaces. 3.6 Layout of Bus Intelligent Equipment 1) Local Bus Communication Box Arrangement a) The local bus communication box should be arranged nearby according to the planned location in the preliminary design stage of the network segment. b) Avoid approaching high-power rotating equipment and electrical grounding points [3]. c) It should be arranged in the area accessible to personnel for easy maintenance. d) The installation position of the local bus communication box on site shall be accurately located according to the provisions of the design documents, and the installation position shall not be changed to avoid the increase of network segment voltage drop or reduce fluctuation. e) The arrangement and installation of fieldbus communication components and connectors shall also comply with the requirements of Section 4.4 of DL/T 1212-2013. 2) Fieldbus cable lay a) Fieldbus cables should not be laid in combination with power cables or in parallel over long distances. Sufficient space should be left between the power cable and the bus cable, When the power cable and bus cable cross, they shall be laid at an angle of 90. b) Fieldbus cables can be mixed with Instrumentation and control cables (Control Cables, measurement cables and communication cables), and cable trays should be capped. c) Redundant PROFIBUS communication cables should be designed in different cable laying paths.

340

X.-N. Huang et al.

d) When laying relevant communication cables, optical cables shall be laid first. After laying is completed, the fieldbus system manufacturer shall arrange technicians to carry out or guide the welding of field optical fibers to ensure the normal connection between the field communication cabinet and the main station. e) Fieldbus cable/fiber installation shall also comply with the requirements of Chapter 5 of DL/T 1212-2013.

4 Potential Problems and Analysis As the Nuclear Power Plant runs longer, the failure rate of fieldbus equipment will gradually increase, and how to prevent the reliable operation of each link of fieldbus control system is an important problem faced by Nuclear Power Plant’s operation and maintenance departments. Through repeated argumentation in the design stage, the reliability of system design can be greatly improved, and the reliability of Nuclear Power Plant fieldbus control system can be greatly improved. However, the failure caused by the long-term operation of the equipment is actually unavoidable, and the failure of the fieldbus equipment will also lead to the failure of the bus control system. The quality problem of the fieldbus equipment is a problem that we need to pay attention to for a long time.

References 1. Cao, L.: Analysis of Problems Affecting Reliability of PROFIBUS-DP Fieldbus Control System (2010) 2. Zhang, X., Mao, R., Li, C.: Improving the Reliability of Power Station Control System by Relying on Fieldbus (2005) 3. Xu, B.: Application of PROFIBUS Fieldbus in water treatment control system (2010) 4. Wang, F.: Application of PROFIBUS Fieldbus in thermal power plant (2010) 5. Fang, L.: Application of PROFIBUS Fieldbus Technology in PLC (2011) 6. Song, J.: Network optimization based on PROFIBUS-DP Fieldbus Technology (2012) 7. Huang, B.: Development of PROFIBUS-DP/PA Fieldbus coupler (2013) 8. Bi, L.: Design of fieldbus communication system based on PROFIBUS-DP (2009)

Research and Practice of Design Process (Knowledge) Reuse in the Data State Environment of Nuclear Power Design Company Jing Ma(B) , Wei-Qi Dai, and Wei-Jian Lei State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China [email protected]

Abstract. With the business expansion, Nuclear Power Design Company has established a design portal based on the whole product line and integrated design platforms and tools. This indicates that nuclear power is changing from “document-centered design and production mode “to” data-centered digital design and production mode”. Meanwhile, the mass production of nuclear power has created an urgent application demand for a new form of archive management, information mining and design knowledge reuse in the digital environment. By analyzing the spatial evolution of archive object space in the nuclear power data state environment and using the concept of “three states” of archives in academic circles, this paper proposes the management idea of establishing the nuclear power archive object space, and reconstructs the nuclear power design process (knowledge) reuse model with “design activity” as the core and WBS (work break structure) coding structure as the framework. Keywords: Design process · Tri-state archives · Archive data · WBS structure · Design reuse

1 Introduction CPR1000 Nuclear Power Plant carries out design process control, progress tracking and design finished product records management through Index of Engineering Documents List (IED). This mode has been used from Daya Bay to Ling’ao Phase II, Hongyanhe, and Fangchenggang Phase II. The company launched AE Document Management Platform (AED) to standardize and control the terminal results under IED management mode. IED, as a list of engineering design documents, is a collection of nuclear power design finished products and a “living” records directory, which defines the accurate filing range of nuclear power archives (including electronic and paper). The huge design finished product records library has obvious advantages in the process of large-scale development of nuclear power. With the expansion of nuclear power business, our company launched the nuclear power professional Collaborative Engineering Platform, marking the completion of the industry’s first Engineering Portal with design business as the core based on the whole product line, integrating all design platforms and design tools, and © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 341–353, 2021. https://doi.org/10.1007/978-981-16-3456-7_33

342

J. Ma et al.

marking the transformation of the design production mode with full documents as the core to the digital design production mode with data as the core. The evolution of the Information Technologies environment itself has brought a large number of brand-new types of archival objects to the archival department, thus prompting the archival department to take active measures to deal with the challenges brought by these new technological environments [1]. The “data transformation” of the front-end design and production system will definitely produce a large number of data-based archival records, prompting the focus of archival work to shift from “T” (technology) to “I” (information) and to a large number of data that can be understood and explained. The archival data collection composed of these data and traditional documents is the core of design activities. In the field of engineering design, about 70% of the design work is adaptive design and variant design, and its design process is basically the reuse of existing design knowledge [2]. How to better establish the management idea of “the archive object space” under the new record ecological environment, take “design activities” as the core, tap the front-end business value, and realize the reuse of design process (knowledge) has become a common problem for nuclear power archivists under the background of big data.

2 New Challenges of the Digital Design and Production Environment 2.1 Analysis of Digital Production Environment for Nuclear Power Design In order to solidify the existing design business activity rules and effectively regulate the production of massive design achievement records, design company, where the author is located, has independently developed a design and production platform Engineering Management Platform (EMP), as an foundation platform for design and production management, EMP has independent Intellectural Property rights and is composed of Project Plan Management System, Design Process Management System and Configuration Management Information System. It realizes systematization, integration and intelligence of the whole process management of design and production. The platform is based on relational database design, aiming at establishing a data-based design management system with process control as the core by using information tools, so as to achieve the goal of standardization and digitalization of design management. The data generated by EMP finally enters AE Document Management Platform (AED) through a unified web service interface and is archived in the form of electronic documents (letters) (Fig. 2). AED, as an enterprise content management platform, combines process engine, distribution module and personal workbench, and is a fast and efficient document work platform portal. AED has achieved full coverage of engineering design projects, meeting the needs of electronic records management of tens of millions of orders of magnitude, and has unique advantages in versatility (abstracting specific businesses and providing standard interfaces for different external systems), real-time (faster data interaction), scalability (supporting changeable business requirements), and reliability (timestamp and audit table). The ONCE Search Engine, a self-developed search engine based on AED system, provides users with fast, accurate, concise and complete document retrieval services.

Research and Practice of Design Process (Knowledge) Reuse

343

Fig. 1. Design document platform data exchange [3]

With the emergence of the requirement to restore the design, design reuse, we found that the information production design system does not cover the whole design process, and there is no unified management for mechanical calculation, three-dimensional modeling, system flow and other design activities. These front-end research and development that generate design input documents will produce key algorithms and innovative modeling modes, which is the core and creativity of the whole Design Company. According to this, Design Company, where the author is located, has established a professional Collaborative Engineering Platform, This platform is a Company-level design platform, it consists of ten sub-platforms, including overall design, stacker design, site planning, system design, radiation shielding, electrical design, Instrumentation And Control design, equipment design, Civil Engineering and layout design. It can track and record the professional design process, solidify the data and process of the design front-end business, and provide advanced tools, methods and calculation services for the design work. 2.2 Business Challenges Brought by Space Evolution of Archives Objects With the drastic changes in the upstream environment (data formation environment), more and more data-driven or model-driven business systems (professional Collaborative Engineering Platform) have emerged, forming a large number of data bodies existing on a data scale. As the original records of business activities, these data bodies have definite archival attributes, and the ways and means of archiving and preserving them need to be considered. However, due to the great changes in its concept, original form, dependency relation and method center of gravity, data state inevitably faces unprecedented challenges [4].

344

J. Ma et al.

(1) Extension of Records Definition In November 2011, International Standard Organisation redefined records (archives) through a series of records standards: records refer to information, regardless of its carrier, form or format, formed, received and kept as evidence or/and assets by organizations or individuals in the course of performing legal obligations or conducting business activities or for the realization of their purposes. The series of standards elevate the records to the level of enterprise assets and expand them to “information” without restricting the carriers. In 2015, Australia’s National Archives issued the Digital Continuity 2020 Policy based on this, with three core principles: information is valuable; information is managed digitally; information, systems, and processes are interoperable [5]. Qian pushed the definition of archives deeper, and the author agreed with it. He divided archives into three states according to technological innovation under the new situation: analog state, digital state and data state. Analog archives is a archives management object that records and saves analog signals, which can be understood as a carrier-centered record with traditional black paper and white characters. Digital state refers to the space managed in the form of records in the digital signal space, which can be understood as an electronic record centered on content and based on the four characteristics of archives and its dependent structure and background. The data state refers to the state formed by the existence and continuous operation of data granularity. The main management objects of the data state management space are data, rules, models and ontologies, such as the three-dimensional model base of nuclear power projects, the Engineering DataBase of nuclear power technology transfer or Nuclear Power Plant digital transfer, etc. the process of evolving from simulation state to data state, the archives management object unit changes from “volume” and “piece” to archives space (Table 1). The archives management object in the data state environment is actually the archives management object space with logical spatial relationship. Table 1. Comparison of spatial characteristics of management objects based on three-state theory [4] Analog state

Digital state

Data state

Signal properties

Analog (continuous)

Digital (discrete)

Digital (discrete)

Semantic features

Semantic continuity

Semantic continuity

Semantic discretization

Management object

Carrier-centric

Content-centric

Data-centric

Dependencies

Unity of logical structure and physical structure

Information (logical Logical structures and structure) is separated models with complex from carrier (physical associations structure) (continued)

Research and Practice of Design Process (Knowledge) Reuse

345

Table 1. (continued) Analog state

Digital state

Data state

Object structure

Carrier + Handwriting Content, Structure, + Combination mode Background

Related elements such as rules, models, semantics, etc.

Original form

White Paper + Black character

Data Volume + Parameter output snapshot

Management focus

Orderly environmental Management system management Based on based on four carrier characters of archives

Cure content at records scale

Data-based rules, models and ontology management

Technical essentials Important element protection

Emphasis on system management

Re-intelligent service

Standard status

Initial system

Basic blank

Better completeness

The proposal of the concept of data-based archives has brought about disputes between the information department’s archiving with data and the archives department’s archiving with records scale: information has its own concept of data archiving. According to the Storage Network Industry Alliance (SINA), in the field of data management, archiving refers to “putting data objects and their metadata into a storage system with the primary purpose of long-term preservation” [6]. The production platform of nuclear power based on SOA project system architecture, its data archiving is only a storage strategy, the professionalism of the concept of “archiving” has been weakened. The main work content is to save historical data, ignoring the professional requirements of preserving business vouchers and maintaining organic connections. As a result, the professional management of the entire archives in the big data environment faces the risk of being ignored or even replaced, which is detrimental to the maintenance of trusted vouchers and historical memory of data-based archives. Judging from the author’s experience in managing overseas technology transfer archives, some overseas nuclear power research and Institute have begun to refer to the concept of data-based archives and adopt the form of archive data bodies in the transfer. In fact, with the proposal of “digital nuclear power plant” and “digital transfer” in China, it is only a matter of time before the concepts of nuclear power data state archives and nuclear power data state archive body are clarified. (2) Classification of Archives Management Category To sum up, the scope of archives management is very clear at present. The design results are based on IED Documents index list, and the project management records are generated through EMP platform and stored in AED. After the professional Collaborative Engineering Platform goes online, a large number of non-text digital resources generated in the design and analysis process are generated at the front-end of the business. The business domain data of the platform is basically “isolated island”, neither the business design process nor the data records can be shared and managed, and the business process realized in the IT system construction can be precipitated and continuously developed.

346

J. Ma et al.

John McDonald pointed out that under the big data environment, it is necessary to formulate a custody period table from the perspective of business processes, and big data analysis needs to be considered as a new business. Relevant data need to be archived together, thus expanding the scope of archiving [7]. Victoria Louise Lemieux also pointed out that records will also be formed in the process of big data analysis, and these records should be included in the scope of records management [8]. For a long time, due to the division of labor between traditional archives and information, the archival management and ownership of this part of data have not been defined. Obviously, the traditional archival identification technology and the principle of dividing storage categories have been disabled in this new field. (3) Disability of existing preservation means Since 2006, with the joint efforts of all relevant units in the nuclear power industry, China has successively issued EJ/T 1224-2008 “Electronic Records Metadata for Nuclear Power industry” (referring to ISO15489), EJ/T 1225-2008 “Requirements for Management of Nuclear Power records and archives” and NB/T 20041-2011 “Classification Criteria and Coding Rules for Nuclear Power archives” [9]. However, these standards and definitions do not address data status archives. Compared with the lacking of system, the technological update is more urgent. Through mature electronic records management practice, archivists have changed from archives entity administrators to records process auditors. The main focus of records audit is on structured data quality and electronic records entities. In the data state, the mastery and application of the tools developed in the data-driven business field to maintain the integrity of the archives object space is the key technology that the traditional archivists need to update urgently. 2.3 Challenges of Nuclear Power Plant Design Process (Knowledge) Reuse The design of the Nuclear Power Plant is an activity to formulate specific construction regulations or codes according to its production function and the requirements of laws, codes and standards, and in combination with the characteristics and conditions of the site. Nuclear Power Plant design management is an important means to ensure design quality and Nuclear Safety Codes (China) requirements, and to ensure close coordination between design and equipment procurement, construction, commissioning and start-up, as well as operation and maintenance after completion [10]. Nuclear power design process control is divided into seven links: design planning, design input, design analysis, design review, design verification, design output and design confirmation. These seven links run through all stages of project design (Fig. 1). Among them, design analysis refers to a series of intellectual processes such as calculation, demonstration and analysis between designers using design input to generate design output, which is the core competitiveness of nuclear power design. However, the design process of archive asset management is a new topic for us.

Research and Practice of Design Process (Knowledge) Reuse

347

Fig. 2. Nuclear power plant design process control diagram

3 Practice of Preservation Strategy Under Tri-State Archives Situation Awareness Under the current nuclear power production environment, archives must exist in a mixed form as Qian suggested, i.e. the coexistence of traditional paper (analog state), electronic entity (digital state) and archives data body (data state). The proportion and preservation strategy of the coexistence of the three states will vary due to technological maturity and project requirements. Archives management in analog and digital states is relatively mature. The author will take the project of “Construction of Nuclear Power Standardization Project Design Results Database” as an example to talk about the preservation strategy and practical experience of three-state archives. 3.1 Construction of Design Results Database Aiming at Design Reuse The design standardization project is a standard reactor type based on the research and development of the third generation nuclear power technology. Its purpose is to effectively apply the design results to the physical engineering projects in batch construction. At the same time, the design is standardized and the design process is restored in two directions in the standardization process. In this project, an open definition is adopted for records (archives): records include design finished product documents and design process documents. Design finished product records refer to various forms of records formed in design activities. Including finished design products and design management records (design review forms stored in the form of electronic records, etc.). Design process records refer to information formed in design activities that can be used as evidence and assets, regardless of carrier, format and form. In the implementation of the project, a three-level linkage mode of “Project management team-Design team-Archives Department” is planned. The project team jointly set up a nuclear power Design Criteria WBS, which decomposes the design activities

348

J. Ma et al.

into work packages. The Design team takes the main setter as the main responsibility body, re-decomposes the design activities, and sorts out the design output and business process under the design activities. The design output includes design finished product documents, design process documents, information platform, software tools, etc. The documents (files) (including new form files) handed over for filing are subsets or complete sets of design output, and the chief engineer of project implementation is responsible for defining the depth, scope and filing scope of design output. The Archives Department is responsible for managing the design output of the project team (custody scope). This linkage mode breaks the scope and classification of traditional archives, closely follows the business process and forms “new storage scope and categories”. On the foundation determined by concept and storage scope, the records formulate classified management strategies for various forms of records (archives). For the design finished product records uniformly published by IED List, the Archives Department has made clear the records control requirements according to the Nuclear Power Plant Quality Assurance Safety Regulations (HAF003), mainly including three aspects: Records compilation and approval control, Records release and distribution, and Records change control [11]. It also assists IT to establish an EMP platform, through which records are drafted, reviewed, handed over, filed and distributed. AED is responsible for storage and utilization. In the EMP business process, Preset design documents, drawings, Design Review Sheet, design review forms, design change forms and other fixed templates in advance (Table 2). At the same time, a “records audit” link is nested in the EMP business process, and the archives department checks the consistency between structured document metadata and electronic records entities to ensure that the designed finished products meet the quality system and filing requirements of the Nuclear Safety Administration, owners and companies. Table 2. Design change order partial metadata structure No.

Metadata classification

Field name

Chinese name

1

General

C_archivc_codc

Archives No.

2

C_store_location

Storage Place

3

C_title

Title

4

C_language

Language

5

C_approve-date

Preparation Date

6

C_created_unit

Prepared by

7

C_security_level

Secret classification

……

……

C_filed_code

Specialty (Responsibility Specialty)

2

C_unit_code

Unit No

3

C_dips_code

DIPS Code

4

Object_name

DEN Code

……

……

1

File Type

Research and Practice of Design Process (Knowledge) Reuse

349

For the project database, the whole database shall be handed over. Database tools and rules jointly support the restoration of the original business, maintain the integrity of a single archive management space object, and solve the problem that the dimensionality reduction management of data state space may destroy the semantic continuity of data state archives. The distributed data cards generated by software calculation are reduced to electronic records, and the expanded electronic records transfer format is standardized (Table 3). Table 3. Format requirements for handover of electronic records Electronic records type

Preferred records format

Acceptable document format

CAD records

X3D, STEP

PDF/E, U3D, PRC

Digital video records

AVI, MOV, WMV, MPEG4, MPEG2, MXF

Scan text records

TIFF, JP2, PNG, PDF/A

Text data records

ASCII Text, Unicode PDF, DOCX, DOC Text, ODF, PDF/A-1, PDF/A2

Presentation records

ODP, PDF/A-1

PPT, PPTX, PDF/A-2

Structured data records

CSV, ODS, ASCII Text, JSON, XML

MS Excel Office Open XML, XLS, EBCDIC (Immediate Handover Format)

E-mail records

EML, MBOX

XML, MSG

Web records

WARC, ARC

JPEG Compressed JFIF, GIF, PDF/A-2

Digital poster records, TIFF, JP2, PNG, digital photo PDF/A

JFIF and GIF with JPEG compression

Geospatial records

VPF, ESRI ARC/INFO, TerraGo Geospatial PDF, ESRI Shapefile and SDTS (Immediate Handover Format)

Geo TIFF, GML, TIGER, KML

Special notes

The preferred Records format for email Records aggregation is PST, MBOX

350

J. Ma et al.

3.2 Exploration of Design (Knowledge) Reuse Based on WBS of Nuclear Power Design Criteria Design reuse has a long history, and people may unconsciously use design reuse technology to solve practical problems in the design process [12]. As early as the 1990s, there were a lot of researches abroad, most of which focused on the traditional static knowledge modeling field and did not consider the actual needs of dynamic knowledge management and knowledge reuse in business processes. In the process of product design, from the overall point of view, the design process is complex and changeable, and it is difficult to customize it in advance through template technology. However, the basic structural system of the product is relatively fixed. If the basic framework structure of the product design process and the design process of the components are relatively fixed from the perspective of the product structure, they can be templated through dynamic customization technology [13]. For mass construction of nuclear power projects, replica design is the only way. The purpose of building the database of nuclear power standard design results is also to restore design and reuse design (knowledge) to the greatest extent. Nuclear Power Design Criteria WBS, as a vertically structured working group oriented to the deliverables in the design phase of nuclear power engineering. It summarizes and defines all the work in the design phase of nuclear power engineering, each design work element (WE) constitutes a separate entry in the WBS. The lowest WE is the Design Activity Work Package (WP), which is a specific activity oriented to specific objects. The design output under each WP constitutes a component in the design process of nuclear power products and is the functional unit with the smallest granularity in the design activity. The design knowledge is also refined to the corresponding functional unit to form a knowledge unit. By associating these knowledge units with IED design finished product list in WBS coding form, a file data body with design finished product as the core can be constructed to realize the association between records and data in the whole design process. At the same time, in the business layer, the design activities with WBS as the core can also realize dynamic perception and aggregation based on business processes, and finally realize the maximum design restoration from business processes to terminal results (Fig. 3). Taking the design activity “Tools and Software Management” as an example, the usability of the design reuse model is verified. Under the WBS system of nuclear power engineering design, the activity code is PC-PM-TM, and the WBS design under the activity is decomposed as showing in Fig. 4. Ideally, when the next design activity is carried out, the design under the activity can be divided into activities through PC-PM-TM coding, and all the design outputs can be transferred out. Using WBS architecture, the archives department can sort out the design output in layers, jointly determine the scope of archives storage with the project team, and formulate the storage rules of archives data aggregates according to different states. Designers are at the front end of the business. The sub-activities under the design activity can be clustered with relevant knowledge components through WBS coding. At the service terminal, the data, models, calculation reports and the like associated with a single design records can be clustered through the association established between IED record coding and WBS to form a records-centered knowledge group, and the problem of data-state records archiving can be solved.

Research and Practice of Design Process (Knowledge) Reuse

351

Fig. 3. Design activity (knowledge) reuse model based on WBS coding assemblage

Fig. 4. Design reuse of design activity “tools and software management”

3.3 Design Business Process and Implementation of Knowledge Modeling Technology Returning to the analysis of nuclear power design itself and in-use platforms, we find that the existing digital production environment internalizes the design business process rules into the system to a great extent and also realizes a certain degree of design output management. However, WBS system integration is still lacking and there are still challenges in implementation under the current technical environment.

352

J. Ma et al.

(1) It is very difficult to construct the WBS system of nuclear power standard A WBS for project management must be decomposed into work package levels to make it an effective management work. When creating WBS, project team members must be involved in creating WBS to ensure consistency of WBS. Each WBS item must be documented to ensure an accurate understanding of the scope of work included and not included. WBS must be able to adapt to unavoidable changes while maintaining the work content of the project normally according to the scope specification. The work breakdown structure: Is derived from the project objectives and the project products, services, or results; Provides a means for defining the total scope of work; Ensures that work elements are defined and related to only one specific work effort so activities are not omitted or duplicated; Is used as a framework for defining project tasks or activities [14]. As a large-scale and complex project, it is extremely difficult for nuclear power projects to decompose WBS into work package levels and maintain stability and adapt to changes for a long time. After nearly 7 years of repeated practice and optimization, the company where the authors working has established a WBS system with reasonable and relatively stable structure, which has been fully applied in many nuclear power engineering projects. The WBS system has stepped out of its own system and integrated with Collaborative Engineering Platform, EMP and AED, which needs further research. (2) The transformation cost of the existing system platform architecture is high EMP and AED realized data exchange through that combination of interface and CFX framework. The design of front-end business process rules is also internalized through professional Collaborative Engineering Platform, but this way of building systems based entirely on business requirements, such as internal “chimneys”, still cannot solve the problem of cross-disciplinary data exchange, and the integration and collaboration cost of opening up interaction between “chimneys” systems is high [15]. Then, the realization of the above knowledge model is also empty talk. The scheme is verified by practice in the initial stage of design standardization project. At present, the database of design results in the initial stage of the project has been established, At the same time, the company has started the design center database construction project, It aims to break the situation of information island between multiple platforms, It lays the foundation for the realization of design process reuse, and also makes it possible to popularize the scheme in various nuclear power projects. 3.4 Conclusion Reuse of design knowledge is the demand for mass production of nuclear power plant. This demand indicates that enterprises have moved from the stage of production and research to the stage of promotion and operation. Judging from the actual combat cases of Ali Digital middle station strategy and architecture, the transformation of enterprise IT architecture is related to the costs of manpower, capability, budget, etc. Restructuring is not realistic for non-commercial driven companies. It is likely to get through the Collaborative Engineering Platform, EMP and AED through the data bus to realize the data linkage of the three platforms. In this way, for the highly specialized nuclear power design institute, front-end collaboration participates through data exchange instead of design activities, and the above design reuse model is also possible.

Research and Practice of Design Process (Knowledge) Reuse

353

References 1. Feng, H.-L., Jia, X.-S.: Analysis of strategic layout and actions of American electronic record management under the background of digital transformation. Arch. Sci. Newslett. 6, 44–51 (2015) 2. Shi, X., Tong, S.-R., Ma, F.: An reuse-oriented knowledge classification and representation for product design process. Mach. Tool Hydraulics 38(17), 21–24 (2010) 3. Hou, B., Tu, H.-B., Wang, Y.-F.: Enterprise content management platform Web services based on CXF framework. Telecommun. Sci. 5, 191–196 (2016) 4. Yi, Q.: Study on problems and strategies of digital archival object preservation in data environment. Arch. Sci. Bull. (04), 40–47 (2019) 5. Zhao, Y.: Study on the digital continuity 2020 policy of Australia. Arch. Construct. 6, 17–33 (2018) 6. SINA Dictionary [EB/OL], 22 December 2017. https://www.snia.org/education/dictionary/a 7. McDonald, J., Léveillé, V.: Whither the retention schedule in the era of big data and open data. Rec. Manage. J. 24(2), 99–121 (2014) 8. Lemieux, V.L., Gormly, B., Rowledge, L.: Meeting big data challenges with visual analytics: the role of records management. Rec. Manage. J. 24(2), 122–141 (2014) 9. Xiong, W.: Thinking about the construction of nuclear power document management standard system from ISO 30300 and ISO 15489 series document standards. Stand. Res. 2, 13–19 (2017) 10. General Contracting and Project Management of Nuclear Power Projects. P116 11. HAF003-1991, Safety Regulations for Quality Assurance, Nuclear Power Plant [EB/OL], 18 November 2016 12. Liu, X.-Y.: Conceptual Design Technology of Complex Products Based on Knowledge Reuse and Its Application (D). P5 13. Zhu, F., Jiang, Y.-X., Wang, Y.-F.: Modeling conceptual design process for dynamic knowledge management and reuse. Data Anal. Knowl. Discov. 2, 20–26 (2018) 14. Haugan, G.T.: Effective Work Breakdown Structures, P15 15. Zhong, H.: The Way to Transform Enterprise IT Architecture: Alibaba’s Mid-Table Strategic Thought and Architecture Actual Combat (D)

Study on the Feedwater Control of the Once-Through Steam Generator in the Sodium-Cooled Fast Reactor (SFR) Wen Jiao, Xin-Yu Wei(B) , Pei-Wei Sun, and Xian-Shan Zhang Xi’an Jiaotong University, Xi’an 710049, China [email protected], [email protected]

Abstract. The Sodium-cooled Fast Reactor (SFR) has become the research hotspot and been under development rapidly because of its small size and high power density in recent years. SFR contains a total of three circuits, primary sodium circuit, second sodium circuit, and third water circuit. The third circuit is feedwater supply system to cool the temperature of sodium in the second circuit during once-through steam generator (OTSG). Therefore, OTSG is considered as one of the most important equipment, which is essential to normal operation and safety assurance. In this article, the dynamic model of OTSG is built by the movable and fixed boundary method based on the conservation equations. Besides, the other components are also modeled to build the third water circuit model, such as the paralleling channel model, feedwater pumps model, and high pressure feedwater heaters model etc. In the MATLAB/Simulink environment, the third water circuit simulation platform is developed. The steady state condition and some typical disturbance conditions are simulated to verify the provided model. According to the dynamic characteristics and control requirements, the feedforward & feedback control system is designed to adjust the flowrate in time to insure the outlet temperature of sodium in secondary circuit within the prescribe limits. To verify the effectiveness of the provided control system, some typical conditions are simulated. The simulation results showed that the developed model can simulate the steady state and transient characteristics correctly, and the provided control strategy can achieve the control objective of a stable outlet temperature of sodium in secondary circuit. The research could provide the reference for the study of the control and operation for the OTSG and feedwater supply system in SFR. Keywords: Sodium-cooled fast reactor · Once-through steam generator · Feedwater control

Nomenclature A Cp De f G

Area Specific Heat Capacity Equivalent Diameter Friction Factor Mass Flux

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 354–369, 2021. https://doi.org/10.1007/978-981-16-3456-7_34

Study on the Feedwater Control of the Once-Through Steam Generator

g H N P Pa Pf Pel Q r T W x Z Nu Re Pr Gr Pe μ

355

Gravity Unit Enthalpy Power Pressure Accelerated Pressure Drop Friction Pressure Drop Gravity Pressure Drop Linear Heat Flux Radius Temperature Mass Flow Steam Quality Physical Location Nusselt Number Reynolds Number Prandtl Number Grashof Number Peclet Number Dynamic Viscosity

1 Introduction A simple fact currently shows that nuclear power has become one of the most environment-friendly and economical fuels. A movable boundary model for OTSG analysis was developed in 1988 [1]. The pressure drops and boiling heat transfer characteristics of steam-water two-phase flow were studied in a small horizontal helically coiled tubing OTSG and a new flow boiling heat transfer correlation was proposed to better correlate the experimental data by Zhao L, et al. [2]. Rakopoulos, D [3] modeled and simulated the transient operation of a utility supercritical steam generator fired with pulverized hard coal. One-dimensional (1D) and two-dimensional (2D) methods for analyzing the thermal hydraulic performance of an HTGR steam generator were developed by Li XW [4]. Performance assessment methods for the plant with stable and unstable zeros of two PI controller systems are developed at all specific power levels [5]. An adaptive backstepping-based composite nonlinear feedback control scheme was proposed U-tube steam generator (UTSG) in a nuclear power unit [6]. Based on previous studies, the use of a moving boundary method is considered in OTSG modeling to balance calculation accuracy and speed. At the same time, because the liquid level is different from OTSG, the basic PID control system is considered to be used to control the outlet sodium temperature to ensure the cooling effect of the third circuit.

2 Materials and Methods The turbine usually operates depending on the nuclear power in SFR. In this case, the change of the feedwater flow rate in the third circuit should follow the change of the

356

W. Jiao et al.

Fig. 1. Feedwater supply system schematic arrangement

reactor power and the sodium temperature of the second circuit. In order to track the sodium side in time and reduce the temperature fluctuation of the second circuit, a suitable feedwater supply control system needs to be designed. The feedwater supply system schematic arrangement is shown in Fig. 1. In the beginning of this third circuit, a total of four feedwater pumps are arranged in parallel, with three uses and one backup, and its function is to increase the pressure of feedwater. After the confluence from the feedwater pumps, the flow is split and flows into the parallel high-pressure heaters, a total of three with two uses and one backup. Afterwards, the feed water is divided into two loops again. After passing through the loop regulating valves, the split is divided into two primary branches. After flowing through each primary branch, it is divided into four secondary generator branches connected in parallel with each other. In the other word, the total feedwater is divided into 16 branches connecting 16 OTSG modules. The heat from sodium in the second circuit will transfer to the feedwater inside OTSG, which will become overheated steam while flowing out. In the end, the steam in 16 tubes will be converged and sent to the turbine to generate electricity. Based on the feedwater flow process, modeling objects include OTSG, parallel channels, feedwater pumps, high-pressure heaters, loop regulating valves and modular regulating valves. Next, these models will be established and connected in turn, and the feedwater supply control system will be designed according to the characteristics of the system. 2.1 OTSG Model Description OTSG is divided into two parts, an evaporator, and a superheater. Hundreds of heat transfer tubes are arranged inside the equipment. Water/steam flows inside the tube, and sodium flows outside the tube, which means the shell space. The corresponding modeling is performed according to the specific characteristics in the modeling process. The specific flow process is shown in Fig. 2.

Study on the Feedwater Control of the Once-Through Steam Generator

357

Fig. 2. OTSG schematic model

The liquid metal sodium flowing out of the intermediate heat exchanger passes through the bottom inlet of the superheater. And then it bottom-up flows through the shell space, flowing out of the superheater outlet for sodium, and enters the top part of the evaporator through the indirect pipe. and flows through the shell-side space of the evaporator heat transfer tube from top to bottom. After the sodium buffer tank, it is pumped back to the intermediate heat exchanger by the sodium pump. The flow of the water/steam flows in the opposite direction. The feedwater continuously absorbs heat during the bottom-up flow of the evaporator, and experiences three states of supercooling, two-phase fluid and overheated steam, while in the superheater, it is only a state of overheated steam. To simplify the calculation, make the following reasonable assumptions: 1) Equivalent to all heat transfer tubes with a single tube. 2) Only the axial changes are considered for the physical properties of the fluid. 3) The axial heat conduction of the heat transfer tube is ignored. 4) The heat exchange between sodium and feedwater and the shell of the evaporator and superheater is ignored. 5) Two-phase flow adopts homogeneous flow model. 6) The heat loss from the evaporator and superheater connection is negligible. 7) The effects of conservation of momentum during the coupled solution is ignored. In the evaporator, the movable boundary method is adopted to achieve the calculation balance between speed and accuracy. In the direction of water/steam flow, the evaporator is divided into the following four zones: (1) (2) (3) (4)

Subcooled zone: H > Hf Nuclear boiling zone: H > Hf & x ≤ xdryout Film boiling zone: xdryout < x < 1 Overheated zone: H > Hg

358

W. Jiao et al.

The energy conservation and mass conservation equations describing the fluid at the flow site z at time t are as follows: ∂G ∂ρ =± ∂t ∂z

(1)

∂(ρH ) ∂(GH ) Q ∂P =± ∓ + ∂t ∂z A ∂t

(2)

In the above formula, ± and ∓, use the upper symbol on the sodium side and the lower symbol on the water/steam side. For ith node in heat transfer tubes, just use the energy conservation equation as follows:     (3) π ro2 − ri2 ρm Cp,m T˙¯ m,i Zi − Z˙¯ i Tm,i = Qp,i − Qs,i Because the boundary of the control volume will change with time, when integrating on the ith node, the integral term with the time derivative term is transformed using Leibnitz theorem:  Zi + 1  d Zi + 1 ∂f dZi + 1 dZi dz = + fi (4) fdz − fi+1 ∂t dt dt dt Zi Zi The result of collating and simplifying the formula (4) is as follows:  Zi+1   ∂f dz = f˙¯i Zi + f i Z˙ i+1 − Z˙ i − fi+1 Z˙ i+1 + fiZ˙ i ∂t Zi

(5)

Where f¯i = θ fi + (1 − θ )fi+1 and the value of θ depends on the specifics of f i at the ith node. Here take θ as 1 on the sodium side, 0 on the water/steam side and 0.5 on the heat transfer tube. Integrate other terms without time derivatives directly and describe sodium only with the energy conservation equation. The discretization of the control volume is performed on the above equations in evaporator with movable boundary method, and the results are as follows: Water/steam: ρ˙s,i+1 Zi − Z˙ i ρs,i + Gs,i = 0 Zi

∂ Qs,i − P˙ s Zi = 0 (ρH )s,i+1 − Z˙ i+1 (ρH )s,i + (GH )s,i − ∂t As

(6) (7)

Sodium: Zi T˙ p,i − Tp,i Z˙ i+1 =

Wp × Cpp,i × (Tp,i+1 − Tp,i ) − Qp,i (ρp,i × Cpp,i × Ap )

(8)

Heat transfer tubes: Zi T˙ m,i − 0.5 × Tm,i (Z˙ i + Z˙ i+1 ) =

Qp,i − Qs,i π(ro2

− ri2 )ρm,i Cm,i

(9)

Study on the Feedwater Control of the Once-Through Steam Generator

359

The single-phase overheated steam flows through the heat transfer tube in the superheater. So the fixed boundary method is adopted and Z˙ = 0. Similarly, the discretization results of the control volume in the superheater are as follows: Steam: Zi ( Zi (ρ + H

∂ρ ∂ρ )s,i+1 Cps,i+1 T˙ s,i+1 + Zi ( )s,i+1 P˙ + Gs,i = 0 ∂H ∂P

(10)

∂ρ ∂ρ Qs,i )s,i+1 Cps,i+1 T˙ s,i+1 + Zi (H − 1)P˙ s + (GH )s,i − =0 ∂H ∂P As (11)

Sodium: Zi T˙ p,i =

Wp × Cpp,i × (Tp,i+1 − Tp,i ) − Qp,i (ρp,i × Cpp,i × Ap )

(12)

Heat transfer tube: Zi T˙ m,i =

Qp,i − Qs,i π(ro2

(13)

− ri2 )ρm,i Cm,i

The above equations in the evaporator and superheater are written in matrix form, and calculated with the S-function platform in Simulink. According to the characteristics of the different heat transfer zones in OTSG above, the specific expressions selected for the heat transfer correlations of water/steam in different zones [7–11] are shown in Table 1. Table 1. Heat transfer correlations of water/steam Zone

Re

Correlation

Specific expression

Subcooled

Re > 2500 Sider-Tate

Nu = 0.023Re0.8 Pr 0.33 ( μμw )0.14

Subcooled

Re < 2500 Collier

Nu = 0.17Re0.33 Pr 0.43 ( PrPr )0.25 Gr 0.1 w

λ0.6 G 0.8 (1−x)0.8 Cpf0.4 h = 0.023F f + 0.2 μ0.4 f De λ0.79 Cp0.45 ρ 0.49 0.24 P 0.75 0.00122S 0.5f 0.29f 0.24f 0.24 Tsat sat σ μf hfg ρg

Nuclear boiling –

Chen

Film boiling

Miropolskiy Nu = 0.023{Re[x + ρg (1 − x)]}0.8 Pr 0.8 Y ρ

–

f

Overheated

Re > 2500 Sider-Tate

Overheated

Re < 2500 McAdams ρ 2 gβ (Tw −Tsat ) 1/3 Cpwg μwg 1/3 h = 0.13λwg [ wg wg 2 ] ( λ ) or wg μwg Sider-Tate 0.8 0.33 ( μ )0.14 μw (Maximum) Nu = 0.023Re Pr

Nu = 0.023Re0.8 Pr 0.33 ( μμw )0.14

360

W. Jiao et al.

The specific expressions selected for the heat transfer correlation [12] of sodium is: Nu = 0.047(1 − e−3.8(χ −1) )(Pe0.77 + 250)

(14)

The single-phase pressure drop is the same as the calculation method for ordinary single-phase fluids. But it should be noted that when calculating the friction pressure drop in the two-phase region, the McAdams formula must be used as the calculation formula for the two-phase multiplied friction factor, φf20 , as shown below. φf20 = [1 + x(

νfg μfg −0.25 )][1 + x( )] νg μg

(15)

It is assumed that some typical design parameters of the OTSG model are shown in Table 2. Table 2. Typical design parameters of OTSG model Items

Value

The inlet temperature of feedwater (°C) 210 The outlet temperature of steam (°C)

485

The inlet temperature of sodium (°C)

505

The outlet temperature of sodium (°C)

308

The sodium flow (kg/s)

373

The feedwater flow (kg/s)

40

Based on the typical design parameters, temperature and flow disturbances of water and sodium are introduced to OTSG model respectively, and then the response characteristics are shown as follow (Figs. 3, 4, and 5).

Fig. 3. Dynamic response of OTSG model when sodium flow rate increases 5% in the 50th second

Study on the Feedwater Control of the Once-Through Steam Generator

361

Fig. 4. Dynamic response of OTSG model when temperature of sodium increases 5 °C in the 50th second

Fig. 5. Dynamic response of OTSG model when temperature of feedwater decreases 5 °C in the 50th second

When the inlet boundary conditions change, it will lead to unbalance between two kinds of fluid on both sides of OTSG. Taking the rise of inlet sodium temperature as an example, the water side cannot absorb the increased heat of the sodium side at once, and the temperature difference between the sodium and the water side increases within a short time after the disturbance is introduced, which enhances the heat transfer and evaporates The steam temperature at the outlet of the heater and superheater also rises, with the heat exchange on the sodium side and the water side reaching equilibrium again. From the above response, it can be figured that the established OTSG model can well reflect the response characteristics after the disturbance is introduced, verifying the accuracy and reliability. 2.2 Parallel Channel Model Description The feedwater and overheated steam are both connected from the inlet and outlet chambers separately, and there is no flow mixing between OTSG, which can be regarded as

362

W. Jiao et al.

the parallel channel. Because the resistance components are arranged on each branch, the resistance characteristics may change, and there is mutual interference and influence between the modules. The flow distribution needs to be calculated to ensure that the simulation of the water supply control system can correctly reflect the flow distribution characteristics of the parallel channels. Ignoring the heat loss in the flow process, the parallel channels are described by the mass conservation equation and the momentum conservation equation as follows. 1 ∂Wi ∂ρ =− ∂t Ai ∂z     ∂ Wi ∂P ∂ Wi2 fWi2 = − + − − ρg ∂t Ai ∂z ρAi2 ∂z 2DeρAi2

(16) (17)

Equation are multiplied by dz/Ai on both sides and integrated along the channel length L. When calculating the distribution of flow and pressure, it is necessary to solve the simplified equations below simultaneously, and the flow is determined by the momentum equation, and the pressure by the mass equation. The flow and pressure are coupled with each other.  ∂ρ L ∂P (18) dz = Win − Wout ∂P 0 ∂t  L  L  L L ∂Wi ∂ Wi2 fWi2 = (Pin − Pout) − dz − dz − ρgdz 2 2 Ai ∂t 0 ∂t ρAi 0 2ρAi De 0 = Pin − Pout − Pa, i − Pf , i − Pel, i (19) 2.3 Feedwater Pump Model Description Three centrifugal feedwater pump sets are used in the model, each set including two parts of the booster pump in the constant speed and the main pump in the adjustable speed. According to the coupling characteristics of the selected pump’s differential pressure P, flow W and power N, and Similar Law is used to establish a hydraulic model. The specific expressions are shown below. Wref = W 

P = Pref N = Nref

ωref ω 2

ω ρ ωref ρref   ω 3 ρ · · ωref ρref

(20) (21) (22)

The total flow is calculated from the inlet pressure, the outlet pressure of the feedwater pump, and the lifting head to solve the momentum equation, and the mutual coupling of the lifting head and the flow is realized. Combined with the inertia axis model, the feedwater flow rate of the pump sets can be obtained under the input of different torques.

Study on the Feedwater Control of the Once-Through Steam Generator

363

2.4 Feedwater Regulating Valve Model Description Regarding the loop and the modular feedwater regulating valve that regulate the opening value, the linear valve is adopted in the model. Its characteristic is that the relative flow rate change caused by the change in unit relative displacement is proportional to the opening value at this point, that is, the amplification factor is constant.

Fig. 6. Local loss characteristics of typical feed-water regulating valve model

The relationship between the valve opening and the local loss coefficient can be obtained from the valve resistance characteristic curve as Fig. 6. In the calculation, the local resistance coefficient will be used for the calculation of the local pressure drop of the fluid pipelines, which will affect the total flow and the flow between different pipelines distribution. 2.5 Control System Establishment The control requirement is set that when the sodium temperature at the OTSG outlet should be maintained within the range of 5 °C, the overshoot should not exceed 15% under the disturbance of the typical working conditions, and the sodium outlet temperature of the steam generator should be kept constant within 308 ± 1 °C. Being able to cool down the reactor during operation is an important safety guarantee. For the third circuit, it means that it is necessary to ensure that the sodium can be cooled smoothly and the temperature of sodium at the evaporator outlet is maintained near the target value. In the design scheme, it is planned to stabilize the outlet sodium temperature of the evaporator by controlling the water supply flow rate. Considering the large specific heat capacity and thermal conductivity of liquid metal sodium, a feedforward link to adjust the valve based on the sodium flow rate is added when designing the control system.

364

W. Jiao et al.

Fig. 7. Feedwater supply control system

Based on the above control performance requirements, the control design shown in Fig. 7. was designed. The cascade control system used is a combination of feedforward and feedback. Two PID controllers will be used to adjust the valve opening to change the feedwater flow rate and ensure that the response characteristics of the sodium temperature at the OTSG outlet meet the control requirements under typical conditions (Table 3). Table 3. Parameters of established controllers Items

Kp Ki

Kd

Flow controller

0.5 0.25

0

Temperature controller 0

5e−6 0

The established feedwater supply control system is put into the model above and tested under typical symmetrical transient conditions. The results are shown below (Fig. 8). After reactor power increasing, due to the rapid increase of the heat on the sodium side, the initial feed water flow is insufficient to cool the sodium side fluid, the sodium temperature of the OTSG outlet and the steam temperature of the superheater outlet will gradually increase. At the same time, the PI controller detects the temperature deviation of the sodium outlet, the opening of the loop feedwater regulating valve increases, and the feedwater flow as a coolant is increased to absorb the heat on the sodium side. It takes a certain time to adjust the valve, so the outlet sodium temperature continues to rise, and the outlet sodium temperature reaches a peak of 310.42 °C at 164.40 s. Currently, the valve opening is still increasing, and the feed water flow is still increasing. After a certain overshoot, the opening of the loop regulating valve gradually stabilized. From 483.70 s, the outlet sodium temperature stabilized at 308.00 °C, and from 500.13 s, the OTSG outlet steam temperature stabilized at 509.00 °C, which increased from the initial moment at 6.04 °C. The feed water flow rate of the steam generator changes with the valve opening, and finally stabilizes at 39.35 kg/s, which is an increase of 0.75 kg/s compared with the initial time.

Study on the Feedwater Control of the Once-Through Steam Generator

365

Fig. 8. Dynamic response of control system when reactor power increases in the 50th second

It can be seen from Fig. 9. that the feedforward link in the feedwater flow regulation system detects a sudden change in sodium flow rate. The controller will increase the opening of the loop feedwater regulation valve to increase the feedwater flow rate. Quickly follow the increase in sodium flux. Due to a certain time delay of water supply adjustment, within a period after the disturbance was introduced, the increased feed water flow was insufficient to meet the cooling requirements. At 83.51 s, the sodium outlet temperature reached a peak of 308.78 °C, and then the valve opening continued to increase and the feed water flow continued Increase and adjust gradually to make the outlet sodium temperature stabilize from 521.31 s to around 308.00 °C, and the feed water flow rate eventually rises to 40.51 kg/s, matching the sodium side flow rate. At the same time, the steam temperature at the outlet of the superheater fluctuated continuously due to changes in the water-side flow rate and the sodium-side flow rate, and finally stabilized at a decrease of 0.37 °C (Fig. 10). After the disturbance of the feed water temperature drops by 5 °C, the cooling effect on the sodium side is enhanced due to the drop in the temperature of the feed water at the inlet of the evaporator. The opening of the loop regulating valve weakens the feed water flow of the steam generator to weaken the heat exchange effect. During the period when the valve opening is reduced, the reduced feedwater flow rate is still

366

W. Jiao et al.

Fig. 9. Dynamic response of control system when the speed of sodium pump increases in the 50th second

on the side of supercooling sodium, and the sodium temperature at the outlet of the evaporator will continue to drop, reaching a valley of 306.60 °C in 95.86 s. After a certain overshoot, the opening of the loop regulating valve gradually stabilized, and the flow on the water and sodium sides reached equilibrium again. From 389.13 s, the outlet sodium temperature stabilized at 308.00 °C, and from 409.18 s, the superheater outlet steam temperature stabilized at 504.12 °C, it increased by 0.06 °C compared to the initial time. The feed water flow rate of the steam generator changes with the valve opening, and finally stabilizes at 38.24 kg/s, which is a decrease of 0.36 kg/s compared with the initial moment (Fig. 11). After introducing the disturbance of the pressure step rise of 1 MPa at the steam header, it is equivalent to adjusting the steam turbine inlet valve. In a short time, the superheated steam at the outlet of the steam generator will be reduced and the heat exchange strength will be reduced. The steam temperature at the outlet of the heater rises rapidly. At this time, the sodium outlet temperature deviation occurs, the controller

Study on the Feedwater Control of the Once-Through Steam Generator

367

Fig. 10. Dynamic response of control system when temperature of feedwater deviates from normal in the 50th second

will increase the opening of the loop regulating valve, increase the feed water flow to enhance the heat exchange strength, and within a period of time when the valve opening increases, the increased feed water flow is not enough to completely cool On the sodium side, the sodium temperature at the outlet of the evaporator will continue to rise, reaching a peak of 309.6 2 °C in 88.71 s. After a certain overshoot, the opening of the loop regulating valve gradually stabilized. Under the new steam header pressure, the flow on the water side and the sodium side reached equilibrium again. From 495.10 s, the outlet sodium temperature stabilized at 308.00 °C. At 570.12 s, the steam temperature at the outlet of the superheater stabilized at 503.52 °C, a decrease of 0.44 °C compared with the initial time. The feed water flow rate of the steam generator changes with the valve opening, and finally stabilizes at 38.82 kg/s, which is an increase of 0.22 kg/s compared with the initial time. In the test of the change in the opening of the turbine intake control valve, the amount of change in the observed value is small and the adjustment speed is fast.

368

W. Jiao et al.

Fig. 11. Dynamic response of control system when turbine load decreases in the 50th second

3 Results and Discussion After the temperature, flow or pressure disturbances of the sodium side or the water side are introduced respectively, the flow controller and temperature controller receive the input deviation and will quickly adjust the valve opening to adjust the feed water flow to reduce the deviation. The outlet sodium temperature, as the main control object, will quickly reach the vicinity of the target value after the overshoot and settling time, meeting the third-circuit control requirements in SFR. The established feedwater supply model can reflect the working process correctly. The designed feedwater supply control system can quickly and effectively ensure that the sodium temperature at the outlet of OTSG is maintained near the target value under typical transient operations, which is in line with the control system requirements.

4 Conclusion Based on the characteristics of OTSG, a combination of movable boundary method and fixed boundary method is used for modeling. The dynamic response of the model also verifies its feasibility and accuracy. Subsequently, models of equipment and components

Study on the Feedwater Control of the Once-Through Steam Generator

369

such as parallel channels, feedwater pump sets, regulating valves, etc. are established, and they are combined to complete the feedwater supply system in the third circuit. Considering the actual operating characteristics and fluid characteristics of the SFR, a cascade control system was established to ensure that the outlet sodium temperature was near the set value by adjusting the feedwater flow rate, which indirectly ensured the effective cooling of the reactor. The above methods provide a reference solution for the modeling and control of the three-loop feedwater supply system of SFR. The next step is to consider control strategies at different power levels. Acknowledgements. This research is supported by National Natural Science Foundation of China (11875218) and Innovative scientific Program of CNNC.

References 1. TZANOS CP. A movable boundary model for once-through steam-generator analysis. Nucl. Technol. (1988) 2. Zhao, L., Guo, L., Bai, B., Hou, Y.: Zhang, X: Convective boiling heat transfer and twophase flow characteristics inside a small horizontal helically coiled tubing once-through steam generator. Int. J. Heat Mass Transf. 46, 4779–4788 (2003) 3. Rakopoulos, D., Avagianos, I., Almpanidis, D., et al.: Dynamic modeling of a utility oncethrough pulverized-fuel steam generator. J. Energy Eng. (2017) 4. Li, X., Gao, W., Su, Y., et al.: Thermal analysis of HTGR helical tube once through steam generators using 1D and 2D methods. Nucl. Eng. Design (2019) 5. Zhang, Z., Hu, S.: Performance assessment for water level control system in steam generator of the nuclear power plant. Ann. Nucl. Energy 45, 94–105 (2012) 6. Wei, L., Fang, F., Shi, Y.: Adaptive backstepping-based composite nonlinear feedback water level control for the nuclear U-tube steam generator. IEEE Trans. Control Syst. Technol. 22, 369–377 (2014) 7. Su, G.: Study on the First Type of Density Wave Instability under Low Temperature Heating Reactor Conditions. Xi’an Jiaotong University, Xi’an (1997) 8. Collier, J.G.: Convective Boiling and Condensation. McGraw-Hill Book Co., New-York (1972) 9. Tian, W.X., Qiu, S.Z., Guo, Y., et al.: Development of steady-state thermo-hydraulic calculation program for China Advanced Research Reactor. Atomic Energy Science and Technology (2006) 10. Miropolskiy, Z.: Heat transfer in film boiling of a steam-water mixture in steam-generator tubes. Teploner-getika (1963) 11. Tylee, J.L.: Simple reactor model simulation of a LOFT ATWs event. Nucl. Technol. 61, 25–32 (1983) 12. Mikityuk, K.: Heat transfer to liquid metal: Review of data and correlations for tube bundles. Nucl. Eng. Design 239, 680–687 (2009)

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant Liang Li1 , Jin Fan2 , Yue Zhang1 , and Wei-jie Huang1(B) 1 Nuclear and Radiation Safety Center MEE, Beijing 102400, China 2 China Nuclear Power Engineering Co., Ltd., Beijing 100840, China

Abstract. The γ dose-rate monitor system of nuclear power plant is mainly composed of ionization chamber, pure aluminum electrode, armored cable, electrical penetration, and local processing box. During the LOCA environmental test of HPR1000, the output current of γ dose-rate monitor system ionization chamber detector decreases gradually and fails to return to the normal working range after being stable, which does not meet the requirements of the technical specifications. It is found that after the gas filling and sealing welding of the ionization chamber detector, the protective cover can’t be installed due to the long inflation nozzle. The commissioning personnel does not take protective measures for the root when bending the inflation nozzle. Detection method is not used to verify the leakage point effectively, which results in the leakage point at the root of the inflation nozzle. Some suggestions are put forward, such as improving the processing assembly process and welding methods, ameliorating the testing methods and equipments, and enhancing the nuclear safety awareness of the commissioning personnel. Keywords: γ dose-rate monitor system · LOCA environmental test · Ionization chamber detector · Nuclear safety

The γ dose-rate monitor system of nuclear power plant is mainly used to monitor the γ radiation absorption dose rate in the event of water loss accident or accidental leakage of coolant in the nuclear power plant [1], which requires multi-point and continuous monitoring [2–5]. In the case of loss of water accident, the temperature and pressure in the containment increase, and a large number of radioactive substances are released. In view of the particularity and complexity of this equipment in this working environment, it is difficult to develop key equipments and sensitive elements such as ionization chamber detector, local processing box, etc., and the cost is high. Currently, domestic nuclear power plants adopt foreign products. In order to speed up the localization process of radiation monitoring system equipment and break foreign technical barriers and market monopoly, this paper introduces the composition of γ dose-rate monitor system and functions of key components, and in the LOCA environmental test of HPR1000 [6], the root weld leakage of the inflation nozzle of the ionization chamber detector is analyzed. The specific location of the leakage point is determined through leakage detection. Through PT inspection and tensile test on the root weld quality of the inflation nozzle, it is determined that the welding process and welding strength of the weld meet the design requirements, the causes of leakage from various aspects are analyzed in order to put forward the improvements of key technology and detection equipments. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 370–379, 2021. https://doi.org/10.1007/978-981-16-3456-7_35

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant

371

1 Component Structure and Function 1.1 Ionization Chamber The current signals generated by ionization Chambers of different volumes in the same radiation field can be obtained from Eqs. (1) and (2): R = Is /M

(1)

M = 1.293 × 10−6 · V · (P/P0 ) · (T0 /T )

(2)

Type: R is the radiation rate of air equivalent ionization chamber, C/kg·s; I s is the saturation ionization current, A; M is the air quality contained in the effective volume, kg; V is the volume of the ionization chamber, m3 ; P is the air pressure in the ionization chamber; P0 is the standard atmospheric pressure (1.013 × 105 Pa); T is the air temperature of the ionization chamber; T 0 is the standard atmospheric temperature (273.15 K). Combining 1 Roe/h≈1/115 Gy·h, in the case of 1 × 103 μGy/h it is obtained that the currents generated by the 1 L, 0.5 L, and 0.1 L ionization chambers in the standard environment are 1.07 × 10−11 A, 5.35 × 10−12 A, and 1.07 × 10−12 A, respectively. Since the measurement range of the ionization chamber is 1 × 103 μGy/h ~ 1 × 1011 μGy/h, it is more appropriate to obtain a 0.1L ionization chamber. The design of the parallel double ionization chamber structure is shown in Fig. 1. It consists of 0.068 L and 0.032 L of the two ionization chambers respectively, and the sum of the volumes is 0.1 L. Its advantage is that the total current signal output is the sum of the current signals output of the two ionization chambers. The wide range and good saturation characteristics of the monopole ionization chamber can be obtained at low polarization voltage, but the high machining accuracy is required. The function of the ionization chamber detector is to collect the γ ray in the reactor containment through all the charges generated by the gas ionization in the ionization chamber to the collecting pole of the ionization chamber under the action of the polarization voltage of the local processing box, and to form the ionization current, which is transmitted to the electrometer module of the local processing box through the electrical penetration by the armored cable and low-noise signal cable.

Fig. 1. Parallel double ionization chamber structure

372

L. Li et al.

1.2 Electrode At present, aluminum, stainless steel and titanium are mainly used as the ionization chambers for reactors manufactured in various countries. Through the chemical analysis of these three materials in China, and according to the experimental data of activation process of ionization chamber made of these three materials in Tsinghua University in neutron reactor. It is concluded that stainless steel has the most serious activation, aluminum metal and titanium metal have better anti-activation properties, and the two have similar properties. Taking into account the energy response of the ionization chamber and domestic processing technology, pure aluminum is selected as the electrode material. The filled gas is a mixture of nitrogen with purity of 99.999% and argon with purity of 99.999% at atmospheric pressure, with a ratio of 92% nitrogen and 8% argon. 1.3 Cable The cable is a high voltage and signal transmission bridge between the ionization chamber and the local processing box. It is achieved through armored cables, 1E electrical penetration, and low-noise cables. The armored cable is a metal cable filled with insulating material between the core wire and the shell. The material of the shell and core wire is generally copper or stainless steel, filled with Al2 O3 , SiO2 , MgO, etc., it has a wide temperature range and the characteristics of soldering. The insulation resistance of armored cable shall be greater than 1010 /V·m, and the distribution capacitance shall be less than 100 pF/m. 1.4 Electrometer Using the combination of I-V and V-F, the circuit composition is shown in Fig. 2. The current is first converted by I-V to voltage, and then the voltage is converted by V-F to frequency. The ionization chamber produces a weak current with high impedance under the action of the γ radiation field. With the increase of the radiation field, the current generated by the ionization chamber also increases linearly. The current is converted into a voltage by an operational amplifier with a high input impedance, and the voltage signal is converted into a pulse signal output by V-F conversion. Its advantage is that when the input current is in the background, it can also ensure an output of 1 Hz–10 Hz, which provides convenience for computer data processing and improves the anti-interference ability and response time of the circuit.

Fig. 2. Combined circuit diagram of I-V and V-F

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant

373

2 Failure of LOCA Environmental Test According to “GB/T 12727-2002 Nuclear Power Plants-Electrical Equipment of the Safety System-Qualification” [7], “RCC-E 2005 Design And Conception Rules For Electrical Equipment Of Nuclear Islands” [8], and technical specifications, the qualification curves of LOCA environmental test are shown in Fig. 3 and Fig. 4. Before the test, the output current of ionization chamber detector is less than 10 pA. During the test, there are five stages, as shown in Table 1. After the test, the output current of ionization chamber detector is less than 100 pA. Test stage 1 and stage 2 are normal, the output current of ionization chamber detector is less than 300 pA. After 8 h of test stage 3, the output current of ionization chamber detector changes, but the allowable error has not been exceeded. After 13 h of test stage 3, the maximum output current of ionization chamber detector is 54 nA. After 18 h of test stage 3, the output current of ionization chamber detector decreases gradually and stays at 10 nA. It can not be restored to the normal working range and can not meet the test requirements.

Fig. 3. Qualification curve of pressure for severe accident with the equipment and instrumentation located in containment

374

L. Li et al.

Fig. 4. Qualification curve of temperature for severe accident with the equipment and instrumentation located in containment Table 1. Five stages of LOCA environmental test Test stage

Temperature of LOCA test device/°C

Pressure of LOCA test device/Mpa

Output current value of ionization chamber detector/pA

1

50

0.1

Less than 300

2

150

0.47

Less than 300

3

150

0.47

Less than 300

4

137

0.33

Less than 300

5

137

0.33

Less than 300

3 Fault Analysis 3.1 Preliminary Analysis In order to determine the cause of the fault, keep the temperature of LOCA test device unchanged, gradually reduce the pressure, and observe the change of the output current value of the ionization chamber detector, as shown in Table 2. It can be seen from Table 2 that the output current measurement value of ionization chamber detector gradually decreases with the decrease of pressure. Since there is no electronic element in ionization

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant

375

chamber detector and the insulator is made of ceramic material, the shape and surface insulation resistance of ceramic shall not change with the change of pressure of LOCA test device. Therefore, only when the ionization chamber detector leaks air, as the external pressure of the ionization chamber detector decreases, its internal pressure also decreases. At this time, the humid air inside the ionization chamber detector will gradually reduce, resulting in the insulation resistance of the insulator gradually increases, and the output current will gradually decrease. Table 2. Comparison between pressure of LOCA test device and output current of ionization chamber detector Time Pressure of LOCA test Output current value of device/Mpa ionization chamber detector/nA 11:40 0.435

7.81

11:52 0.368

5.88

12:00 0.364

5.0

12:10 0.356

4.1

12:20 0.341

3.5

12:30 0.328

3.0

12:40 0.273

2.6

3.2 Location Analysis of Leakage Point Through leakage detection analysis of the front armored cable interface and the back inflation nozzle root of the ionization chamber detector with leakage detection liquid, it is found that there is no obvious change and no bubble at the front armored cable interface weld, as shown in Fig. 5. There are obvious bubbles and leakage points at the root weld of the rear inflation nozzle, as shown in Fig. 6.

Fig. 5. Leakage detection of front armored cable interface weld

376

L. Li et al.

Fig. 6. Leakage detection of back inflation nozzle root weld

3.3 Cause Analysis of Leakage The causes of leakage are analyzed from personnel, equipment, materials, processing technology, inspection technology and other aspects, as shown in Table 3. The commissioning personnel shall conduct inflation, leak detection and baking, and check the ionization chamber detector after three repetitions. The whole process shall meet the requirements of process documents with test records. After the completion of this process, it is necessary to carry out simple deformation treatment on the inflation nozzle before installing the rear protection cover of the ionization chamber detector. However, the commissioning personnel does not take effective protection for the weld during the deformation treatment of the inflation nozzle. Detection means are not used for checking. Entrust a qualified and independent third-party testing agency to conduct PT detection and tensile test on the root weld quality of the inflation nozzle of the ionization chamber detector, as shown in Figs. 7 and 8. The test report shows that the welding process and welding strength meet the design requirements. Table 3. Cause analysis of leakage Factor

Criterion

Whether the requirements are met

Welder

Nuclear Class

Yes

Technical and Inspection Personnel

Authorized

Yes

Inspection Equipment

Within the Verification Period

Yes

Drawings and Welding Materials National Standard

Yes

Processing Technology and Records

Meet the Design Requirements

Yes

Assembly and Inspection Process Meet the Process Flow

No

Based on the analysis of the impact of personnel, equipment, documents and external forces, the direct cause of the output current value of the ionization chamber detector out of tolerance in the process of LOCA environmental test is the leakage point at the root weld of the inflation nozzle. The root causes are as follows:

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant

377

Fig. 7. PT detection

Fig. 8. Tensile test

(1) After the ionization chamber detector is inflated and sealed, the protective cover can’t be installed due to the length of the inflation nozzle, so it is necessary to bend the inflation nozzle. During the bending process, the commissioning personnel does not use professional tools to take protective measures for its root, resulting in cracks at the root of the inflation nozzle. (2) After the completion of the inflation nozzle bending, the commissioning personnel does not use corresponding detection means to verify. (3) The commissioning personnel’s nuclear safety awareness is weak, and the damage to the equipment is not considered in the bending process.

4 Improvements 4.1 Improvement of Processing Technology Cooling liquid is needed in the process of parts processing, so oil stains on the surface will penetrate into the parts. Chemical cleaning method is used to remove oil stains, so as to improve the cleanliness of the ionization chamber and make it more stable under high temperature. In order to ensure the quality control in the production process of the ionization chamber detector. The “Ionization Chamber Assembly and Detection Process” is upgraded. The protective measures for the root weld of the inflation nozzle during bending operation are increased. The sealing material of armored cable is ceramic glaze. The maximum temperature that the material can bear is 700 °C. When the temperature exceeds 800 °C, the

378

L. Li et al.

sealing material will be carbonized, which will seriously affect the insulation performance of armored cable. Therefore, the high frequency welding method with controllable temperature should be used to seal and weld the armored cable. 4.2 Improvement of Detection Method After the inflation nozzle’s bending, a professional leak detection device is used for effective verification. The device simulates the working principle of LOCA test device. According to the comparison table of saturated steam temperature and pressure, saturated steam is injected into the sealed vessel with known volume, and the steam pressure in the sealed vessel increases with the rise of temperature. When the saturated water temperature reaches 150 °C, the steam pressure reaches 0.47 MPa, which meets the simulation curve test requirements. According to the structure and shape of the ionization chamber detector, a sealed container with volume of 0.2 L is designed at the rear part of the detector, which can contain the inflation nozzle and seal it with a gasket after it is connected with the detector thread of the ionization chamber. The maximum working pressure of the ionization chamber is 0.7 MPa, and the design pressure of the ionization chamber should be greater than 0.9 MPa. Therefore, the corresponding pressure equipment should be equipped for the inspection in the production process. 4.3 Personnel Improvement Organizing design, manufacturing, inspection and commissioning personnel to learn nuclear safety laws and regulations, in order to strengthen the awareness of nuclear safety.

5 Conclusion Because the key parts of γ dose-rate monitor system, such as ionization chamber and armored cable, have defects in the assembly and detection process. The nuclear safety awareness of the commissioning personnel is weak. The bending operation is carried out without using professional tools to take protective measures for the root of the inflation nozzle, and the leakage point inspection is not carried out after that, resulting in the failure of LOCA environmental test. After depressurization of LOCA environmental test, observing the change rule of output current value of ionization chamber detector, judging that there is leakage point in the equipment. It is found that the leakage point is at the root of inflation nozzle through leakage detection. Through PT inspection and tensile test, it is proved that the welding process and welding strength meet the design requirements. The causes of the leakage point are analyzed from the aspects of process, personnel, materials, equipment and other factors. It is found that the main problems are the lack of the leakage point inspection link and human factors after the inflation nozzle bending operation in the process flow. By adding the process flow link and upgrading the process documents, the professional leakage detection device and equipment are designed. The above problems can be solved by preparing professional suppression equipment and enhancing personnel’s nuclear safety culture awareness, which has certain guiding significance for the improvement of the equipment.

Design and Improvement for γ Dose-Rate Monitor System of Nuclear Power Plant

379

References 1. Ling, Q., Guo, L.Y., Li, D.Y.: Radiation Measurement Technology of Nuclear Power Plant. Atomic Energy Press, Beijing (2001) 2. Zhao, J.W., Zhao, X.H., Huang, X.F.: Development of γ dose-rate detector with two G-M counter tubes Based on RS-485 bus. Nucl. Electr. Detect. Technol. 32(6), 736–739 (2012) 3. Shi, H.L., et al.: Development of miniature γ dose rate monitor with high sensitivity. Nucl. Electr. Detect. Technol. 29(2), 312–315 (2009) 4. Hu, Y., et al.: Design and Implementation of the monitoring software for X-γ dose-rate meter based on-site measurement. Nucl, Elect. Detect. Technol. 37(3), 349–354 (2017) 5. Chen, L.N., et al.: The design of a long-distance X-γ dose rate monitor. Nucl. Electr. Detect. Technol. 31(1), 120–123 (2011) 6. Yu, H.X., et al.: General technology features of reactor core and safety systems design of HPR1000. Nucl. Power Eng. 40(1), 1–7 (2019) 7. GB/T 12727-2002 Nuclear Power Plants-Electrical Equipment of the Safety SystemQualification. China Standards Press, Beijing (2002) 8. AFCEN. RCC-E 2005 Design and Conception Rules for Electrical Equipment of Nuclear Islands. EDF and Framatome, Paris (2005)

Discussion on the Software V&V Technology in Nuclear Power Plants Hui-Hui Liang(B) , Wang-Ping Ye, Wei Liu, and Jian-Zhong Tang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China [email protected]

Abstract. Software V&V technology provides reliability and safety guarantee for digital system and intelligent equipment which used in nuclear power plant. Although a systematic scheme of software V&V technologies has been formed for nuclear power plant, there are some technical nodes need to be discussed and considered. The software V&V standard has been updated. The higher requirements are put forward for the depth, scope, the appropriate techniques and methods of the software V&V. This paper will discuss the upgraded version of software V&V related standards, and give the key points that software V&V technology needs to pay attention. Then the pre-development software identification, new software V&V technical of the special instrument and control system, and the applicability assessment of the safety analysis software are also been discussed. The technical difficulties faced by software V&V in the above aspects will be put forward. At last the future development direction of software V&V technology is proposed. Keywords: Software V&V · PDS · Software assessment · NPPs

1 Introduction The digital technology has been used in the Nuclear Power Plants (NPPs). To ensure the reliability and safety of digital technology used in the Nuclear Power Plants, the software development shall meet the requirements of rigorous standards and regulations. Such as the software for performing category A functions should comply with the IEC 60880 or IEC 62566 [1, 2], the category B and C need to follow the IEC 62138 in the nuclear power plants [3]. The software can also be divided into pre-developed and new developed software. And the nuclear power plant safety analysis and calculation software and the software for special instrument control system belong to another classification. So the software quality assessment is difficult and complex. The software verification and validation (V&V) technology is widely accepted and effective method to ensure the software quality in the nuclear power plants [3]. In recent years, the regulations and standard s related to the nuclear power plants software safety has been updated and released. The IEEE 1012-2014 is the core criteria which the software V&V activities is based on, has been update to IEEE 2017. IAEA has adjusted the regulation and standards. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 380–385, 2021. https://doi.org/10.1007/978-981-16-3456-7_36

Discussion on the Software V&V Technology

381

SSG - 39 of the safety standards related to instrument control system and software design entered into force in 2016. RCC-E has been upgraded to 2106. Furthermore, higher requirements are put forward for the depth, scope, the appropriate techniques and methods of the software V&V. Although the software V&V technology has been used in power plants construction objects, there are some technical nodes need to be discussed and considered. The predeveloped software (PDS) and new software identification, and calculation software assessment used for safety analysis in nuclear power plants will be discussed in the paper. Then the development trend of the software V&V technology will be proposed.

2 Standard Requirements In recent years, the relevant standards for software V&V have been upgraded, which put forward new requirements for software V&V activities in nuclear power plant. NRC puts forward an endorsement through R.G. 1.168-2013 that software V&V requirements for nuclear safety class shall be subject to IEEE 1012-2004 Integrity Class 4 [1, 2]. The standard scope of IEEE 1012-2004 is limited to software V&V, while IEEE 1012-2012 and IEEE 1012-2017 extend the scope of V&V to systems and hardware [3, 4]. In IEEE 1012-2017, new requirements have been added for V&V tasks related to hazard analysis, security analysis, and evaluation of source code and source code documentation during the design, implementation, testing, installation, operation and maintenance phases. The main changes of newly published security standard SSG 39-2016 in IAEA involve the continuous development of computer applications and the evolution of methods required for safety [5], security and actual use. In addition, the development of the Human Factors Engineering and the needs of computer information security are also considered. The requirements for software V&V of RCC-E 2016 are mainly based on IEC standard series (IEC 60880, IEC 62138, IEC 62566) [6]. RCC-E 2016 supplies some requirements which have not listed in the IEC standard. RCC-E-2016 Volume III Part E has supplied or modified the software V&V requirements of software aspects for computer-based systems performing category a functions. The requirements include verification plan, software aspects confirmed by the system, software modification, defense against common cause failure in software, and identification requirements for limited function digital equipment (DDLF). The changes of NS-TAST-GD-046 (rev4, 2017) and NS-TAST-GD-046 (rev5, DRAFT) versions mainly include the scope of application [7], multi-legged demonstration, and the addition of pre-development items, such as the identification requirements for commercial-grade intelligent equipment and platforms. Compared with the existing software V&V technical scheme, it can be seen that the existing software V&V scheme basically covers and meets the new requirements of relevant laws and standards, but the following contents need to be paid attention to in terms of specific implementation details and depth, – Strengthen the V&V work of project planning and Configuration Management, and refine its implementation strategy – Strengthen tool appraisal requirements and related tasks, and refine their implementation strategies;

382

H.-H. Liang et al.

– Refine the implementation strategy of hazard analysis and security precaution analysis tasks; – Analyze the application scope of statistical tests, formalize methods, and propose determine specific implementation plans when conditions permit.

3 Technical Discussions Based on Sect. 2, although the software V&V technology has been used in power plants construction objects, there are some technical nodes need to be discussed and considered. The pre-developed software identification, statistical tests and formalizes methods which used to the new software V&V, and calculation software assessment which used for safety analysis are the difficult points in software V&V activities is in nuclear power plants. 3.1 Pre-developed Software Identification More and more equipment in nuclear power plants includes digital software. These intelligent devices have the advantages of high control precision, strong calculation capability, high data transmission reliability, easy expansion and configuration, easy maintenance and management, high integration, etc., which greatly improve the economic benefits of Nuclear Power Plant when digital devices are used to perform Safety Function. Due to the high safety and reliability requirements of nuclear power plant, the newly developed software has high cost and long cycle, which cannot meet the application requirements of nuclear power projects in time. Pre-developed software is that software is already exists and available as a commercial or proprietary product, and being considered for use [8]. Comparing with conventional industries, the nuclear power application market is smaller. At present, most of the pre-developed software rights are universal mature products and non-nuclear power customized products. The quality and technical standards which adopted by software supply contractor and development company are usually industrial standards. And whether the software functions are suitable for the expected application of nuclear power needs to be evaluated. So, how to prove that the pre-development software meets the software quality assurance and technical requirements is a key problem when using the existing mature pre-developed software to implement nuclear power plant safety-class functions. According to the standard requirements, the applicability of the pre-developed software can be proved through standard conformity analysis, suitability evaluation, quality evaluation, operation experience feedback and supplementary testing activities. The difficulty is that the quality assurance records of pre-developed software are commonly incomplete. When the activities of quality assurance and configuration management cannot fully proof the pre- developed software satisfied the requirements of the nuclear power plants. Therefore, comprehensive suitability assessment is needed in combination with sufficient supplementary tests and good operating experience data. 3.2 New Software V&V Under the new situation of nuclear power development, China needs to gradually have the ability to independently design and manufacture key equipment, only in this way the

Discussion on the Software V&V Technology

383

nuclear power “going global” can be realized. Nuclear Safety-class special system with independent intellectual property rights is an important technology to be conquered in the research and development of nuclear power equipment. According to the requirements of laws and regulations, software V&V is an essential and important step to form nuclear safety-class special instrumentation and control system products. Software V&V technology mainly includes review technology, analysis technology and testing technology. But the traditional testing technology is difficult to achieve 100% full path coverage test and cannot identify all potential errors. The formal verification technology is based on mathematical logic reasoning and has rigor mathematical and completeness logical in system modeling and testing. Formal verification can realize 100% full path coverage testing, thus making up for the deficiency that traditional testing technology is difficult to find all software defects. This verification technology is beneficial to improve the depth of software V&V and the quality of software. Another difficulty with software V&V is statistical testing. Statistical testing is a key technology to quantitatively evaluate the reliability of nuclear power plants software. Statistical testing can test and evaluate the reliability and safety of safety-important instrumentation and control system design in the early stage of project construction by simulating actual operating conditions so as to find defects and problems as early as possible and avoid the risks of project delay and high repair costs caused by finding problems only during the on-site commissioning phase. Standards such as IEC 60880, IEC 61508 and IEEE 1012 and reports of international authoritative organizations highly recommend formal methods and statistical tests for design verification of nuclear safety-class instrumentation and Control systems [8, 9]. In order to ensure the security and reliability of the special instrumentation and control system designed by nuclear power plant self-reliance and to meet the requirements of the project going global, it is necessary to start the relevant work of formal verification and statistical testing as soon as possible. At present, it has not form a good formal verification and statistical testing scheme in nuclear power plant. 3.3 Calculation Software Used for Safety Analysis The computer software used in the safety analysis of nuclear power plants usually includes 9 categories, such as radiological analysis program, neutron physics program, fuel behavior program, thermal hydraulic program and probabilistic safety analysis program. According to the requirements of HAF 102-2004 and HAD 102/17-2006, the computer program, analysis method and nuclear power plant model applied in Safety Analysis must be verified and validated, and the uncertainty must be fully considered. The software verification and validation of nuclear power plant safety analysis evaluation procedure requires not only requirements verification, design verification, implementation verification, and test verification, the most important thing is carrying out the verification and validation of model evaluation, which is also the difficulty and key work for calculation software used for safety analysis nuclear in power plant.

384

H.-H. Liang et al.

The evaluation model for safety analysis needs model assessment, and appropriate data (experimental data, international standard questions, nuclear power plant operation data, etc.) also need to be used to prove the suitability of the evaluation model to simulate the behavior of nuclear power plant during assumed transients and accidents. Software finally confirmed that it must be compared with experimental and power plant data. If the calculation method in Safety Analysis contains a large number of simplifications, if possible, more advanced calculation methods should be adopted to prove that the main physical phenomena have been fully considered in the simplified method. Software finally validation testing data must be compared with experimental and power plant data. If the calculation method in Safety Analysis contains a large number of simplifications, if possible, more advanced calculation methods should be adopted to prove that the main physical phenomena have been fully considered in the simplified method.

4 Development Trend of Software V&V With the development of various emerging technologies, the software V&V development of nuclear power plants will focus on following aspects in the future. Agile testing is a series of testing practices that conform to agile development methods and strive to achieve quality and efficiency. Automation focuses on the automation of testing, including the development of testing tools and the optimization of testing activities, transforming human-driven testing behavior into a behavior executed by machines. Testers can log in to the testing environment to carry out testing services. Servicing is to make software a service and build a test platform so that software developers can automatically acquire the ability to test on demand. Modeling is a model-based test, which is more effective and accurate, and the test can be completely automated. Intelligence is to use the Internet, storage capacity, technical capacity and big data computing to carry out automatic generation of test data, independently control software, intelligent analysis of defects and logs, and optimize testing and design. Cloud platform is a foundation facility for testing, which can better support automation, service and intelligence.

5 Summary The software V&V technology in nuclear power plants need to strictly comply with the requirements of regulations and standards. Formal verification and statistical testing methods are the bottlenecks that restrict nuclear power to go global at present. It is also an important topic for the computational software used in Safety Analysis to formulate an effective model correctness and uncertainty evaluation scheme. Agility, automation, modeling and intelligence are the development trend for the software testing. The software V&V of nuclear power plants need to carry out the above-mentioned cutting-edge technology research to improve the software quality and testing efficiency.

Discussion on the Software V&V Technology

385

References 1. R.G.1.168-2013. Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants (2013) 2. IEEE 1012-2004. IEEE Standard for Software Verification and Validation (2004) 3. IEEE 1012-2012. IEEE Standard for System and Software Verification and Validation (2012) 4. IEEE 1012–2017. IEEE Standard for System, Software and Hardware Verification and Validation (2017) 5. SSG-39-2016. Design of Instrumentation and Control Systems for Nuclear Power Plants (2016) 6. RCC-E-2016. Design And Construction Rules for Electrical And I&C Systems And Equipment (2016) 7. NS-TAST-GD-046.R4-2017. Computer Based Safety Systems (2017) 8. IEC 60880-2006. Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-Software Aspects for Computer-Based Systems Performing Category a Functions. Switzerland (2006) 9. IEC 61508-2010. Functional Safety of Electrical/Electronic/Programmable Electronic SafetyRelated Systems (2010)

Research and Application of RPN Key Technologies in Nuclear Power Plants Ya-Jie Tian, Tian-You Li(B) , Zhen-Yu Shen, Hua-Qing Peng, Rui Zhang, Li Zeng, Jing Shang, and Jing Li State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company Ltd., Shenzhen 518045, Guangdong, China [email protected]

Abstract. The key technologies such as accident monitoring, installation and positioning, and signal abnormality of Nuclear Instrumentation System (hereinafter referred to as RPN) is studied in this paper. Through analyzing the requirements of post-accident monitoring laws and regulations, the compensation ionization chamber monitoring technology and fission chamber monitoring technology are deeply studied. The positioning mechanism of detector components is analyzed, and the positioning technical characteristics of “push-pull trolley type” and “bucket type” are systematically studied. The signal abnormality phenomenon is analyzed, and the equivalent circuit diagram and fault tree are established to analyze the technical causes of signal abnormality. Through the research on the key technologies, an advanced system scheme is independently realized. The independent scheme adopts fission chamber accident monitoring technology, realizes “bucket type” installation of detector components, and adopts measures such as improving gateway redundancy to ensure reliable and safe operation of the unit. The autonomous scheme has been applied to an advanced third-generation pressurized water reactor in China, and the research results have certain reference value for the research and design improvement of other reactors. Keywords: Nuclear instrumentation · RPN · Post-accident monitoring · Fission chamber · Bucket type · Signal anomaly

1 Introduction RPN system uses a series of neutron detectors distributed outside reactor pressure vessel to measure reactor power, power change rate and axial power deviation, etc. It is an important system related to reactor safety [1]. Since it is difficult for a single type of detector to cover 11 orders of magnitude of power monitoring requirements from reactor startup to power operation, The RPN system of a megawatt nuclear power plant is usually equipped with three types of detectors: source range, intermediate range and power range, so as to realize continuous monitoring and protection of reactor power in different operation stages (shutdown, power rise and power operation, etc.). However, the long-term monitoring capability after the accident of CPR1000 reactor RPN system © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 386–399, 2021. https://doi.org/10.1007/978-981-16-3456-7_37

Research and Application of RPN Key Technologies

387

in China does not satisfy the higher accident monitoring requirements of the thirdgeneration reactor, while the third-generation reactor types have all realized the long-term accident monitoring function, which has ensured the convenience of plant operation and maintenance, and the reliability of RPN system. So it is urgent and necessary to analyze the key technologies such as accident monitoring solutions, installation and positioning technology and signal anomaly handling. Based on these analysis, this paper aims to form a set of advanced technical scheme of autonomous nuclear testing system outside the reactor with advanced technology, high safety and reliable system performance.

2 Key Technologies Problem 2.1 Technical Status Three types of detectors (proportional counter, compensated ionization chamber and non-compensated long ionization chamber) are used to monitor the neutron fluence rate outside the pressure vessel in RPN technology of domestic second-generation semi-reactor type (hereinafter referred to as CPR1000) and European advanced thirdgeneration reactor type (hereinafter referred to as EPR). The measurement ranges of different detector channels overlap each other to ensure continuous measurement from reactor shutdown to full power operation. However, in order to meet the measurement requirements after the accident, lead material is used outside the intermediate range detector to shield the interference of γ rays on the measurement signals [2]. Compared with CPR1000 reactor, Russian advanced reactor (hereinafter referred to as VVER) and American advanced reactor (hereinafter referred to as AP1000) increase the number of channels in source range and intermediate range, improve the redundancy of instrument channels, and have higher system measurement reliability. VVER, EPR and AP1000 reactor types all adopt similar “bucket type” installation and positioning technology for detector assembly positioning. In order to meet the measurement requirements of neutron fluence rate after the accident, fission chamber technology is applied to the intermediate range detector of AP1000 reactor [3]. 2.2 Urgent Problem The power monitoring capability after the accident of CPR1000 reactor RPN system in China is weak. Based on RG 1.97 and Fukushima nuclear accident experience feedback, Nuclear power plant needs to have the capability of long-term power monitoring after the accident. The current CPR1000 reactor intermediate range channel equipment identification does not meet the requirements of long-term monitoring after the accident, while the international advanced third-generation reactor EPR and AP1000 equipment selection and identification can meet the requirements of long-term monitoring after the accident. It is urgent to realize long-term monitoring after the accident of RPN system in the new reactor technology in China.

388

Y.-J. Tian et al.

RPN system design and equipment reliability need to be improved. Signal flash and false reactor tripping events have occurred in many domestic projects, affecting the safe and stable operation of nuclear power units. RPN system is a key instrumentation and control system in nuclear power plant. The system equipment has long been monopolized by several foreign manufacturers. It is also necessary for China’s nuclear power technology to “go global” to study and form advanced RPN system design and equipment with independent intellectual property rights. 2.3 Technical Difficulty In order to improve the monitoring capability of RPN system after accidents, it is necessary to systematically analyze accident monitoring regulations and guidelines, study the technical schemes of non-compensation ionization chamber technology and fission chamber detector, and carry out physical modeling and checking calculation of instrument parameters according to reactor characteristics. In view of the research on positioning and installation technology, it is necessary to systematically analyze and study the “bucket type” installation technology, and to solve the key technical points such as guide cylinder design, detector assembly pass checking calculation, embedded connector design, fluence rate physical model checking calculation, assembly connection and positioning, detector source test design, etc. In order to improve the reliability of RPN, it is necessary to study the key technical points such as gateway redundancy of instruments, EMC protection of equipment, electromagnetic environment protection of equipment installation and arrangement, and prevention of signal abnormalities.

3 Solution 3.1 Monitoring After Accident 3.1.1 Accident Law and Regulations RG 1.97 Guidelines stipulate [4] that Reactor shall have long-term monitoring capability for neutron flux during and after accidents under accident conditions, and reactor’s power monitoring range is 10E−6% FP to 100% FP. The power range of post-accident monitoring is generally within the intermediate range detector measurement range of RPN system, so each reactor type generally performs post-accident monitoring function through intermediate range channel. The nuclear power plant guidelines for accident monitoring instruments (GB/T 13627) stipulate that power monitoring instruments after accidents shall be implemented according to Class B variables, and the available time of instrument gateway shall meet the time requirements for power monitoring in design basis accidents. The nuclear power plant safety system electrical equipment quality appraisal (GB/T 12727) stipulates the requirements for radiation aging appraisal and radiation appraisal under accidents (Fig. 1).

Research and Application of RPN Key Technologies International Standards

IEC

Chinese Standards

IAEA

389

American Standards

HAF 102

HAD

NRC

IEEE

IEEE 603 NS-G-1.3 GB 13627

IEC 60780

GB 13284

GB 12727

R.G 1.97

IEEE STD 323

IEEE STD 497

Fig. 1. The regulation of RPN nuclear power accident monitoring

3.1.2 Accident Monitoring Technology of Compensation Ionization Chamber γ compensation ionization chamber is selected for intermediate range detector of CPR1000 reactor and EPR reactor. γ compensation ionization chamber is sensitive to neutrons and γ. Under the condition of strong γ field, in order to accurately measure the current signal generated by neutrons, it is necessary to eliminate the interference current signal generated by γ. Under the action of high voltage V1, neutrons in the neutron ionization chamber generate current In and γ generate current Iγ; In the γ ionization chamber, a current I is generated by γ, which is opposite to the direction of the Iγ current generated in the neutron ionization chamber, so the ammeter reading is: I = (In + Iγ)−Iγ = In

(1)

By setting reasonable high voltage V1 and compensation high voltage V2, the γ current values can counteract each other and compensate the affect of γ interference signals, so that the current measured by ammeter is the current generated by neutrons (Fig. 2).

Fig. 2. γ compensation ionization chamber structure diagram

Due to the γ compensation mechanism analyzed above and limited by the compensation efficiency of the detector, the compensation ionization chamber cannot fully compensate the effect of γ interference. The compensation rate is usually 95% to 99%,

390

Y.-J. Tian et al.

with a typical value of 98% and a compensation error of about 2%. If design basis accidents occur at 10–3 % FP (105 nv of neutron flux), the γ dose rate in containment will reach 103 Gy/h. At this point, the neutron current signal is:   4.2 ∗ 10−14 A/nv ∗ 105 nv = 4.2 × 10−9 A (2) The interference current generated by γ is:   3 × 10−9 A/(Gy/h) ∗ 103 Gy/h = 3 × 10−6 A

(3)

According to the calculation of 2% compensation error, the signal-to-noise ratio of neutron current signal and γ interference signal is:     4.2 × 10−9 A / 3 × 10−6 A ∗ 2% = 0.07 (4) From the above, it can be seen that the neutron signal after compensation is only 0.07 times of the interference signal, and the noise signal is far greater than the signal that truly reflects the neutron current in the core, which cannot meet the monitoring requirements after the accident. In order to realize that the compensation ionization chamber meets the post-accident monitoring requirements, a shielding layer of specific substances (lead, tungsten, etc.) is generally added to the periphery of the detector assembly to shield the influence of γ interference signals without excessive influence on neutron signals, so that the RPN system can meet the post-accident monitoring requirements and basically eliminate the interference of γ rays on the neutron signals of the detector. Lead material is generally used as the physical shielding layer. The shielding effect of lead on γ rays can be seen in Table 1. The thickness of the shielding layer to be set when meeting the requirements of post-accident identification can be calculated according to the γ energy spectrum range and attenuation formula. At the same time, the influence of shielding material on neutron signals should also be analyzed through modeling. Table 1. Shielding of lead material to γ signal Energy/MeV

Thickness of lead/cm

Attenuation coefficient

0.1

0.038

13.0

0.2

0.22

22.8

0.5

1.35

18.9

1.0

2.98

18.2

1.25

3.85

11.5

The attenuation of γ rays in matter follows the exponential law, and the formula is: I = I0 e(−μt) = I0 e(−μm ρt)

(5)

Where: μm = μ/ρ, μ is the absorption coefficient when γ rays go through medium, with unit cm−1 ; ρ is density; t is thickness, with unit cm.

Research and Application of RPN Key Technologies

391

3.1.3 Fission Chamber Technology Fission chamber detector is an ionization chamber that generates ionization by reacting with neutrons through a sensitive layer coated with fission material on the inner wall of the detector. It is one of neutron ionization chambers. The fission chamber has three measurement modes: pulse measurement mode ( β2 > β3 > β4 (3) Word semantic similarity calculation Assuming that the word of W1 has n concepts with C1i , ∀ i = 1, 2, . . . , n and W2 has m concepts with C2i , ∀ i = 1, 2, . . . , m, the semantic similarity between two words of W1 and W2 is defined in ref as follows [9]: sim (W1 , W2 ) = max (simij (C1i , C2j )),∀ i = 1, 2, . . . , n, j = 1, 2, . . . , m

(4)

3.2 Documentation Structural Integrity Calculation Algorithm The documentation structural integration is evaluated based on the required quality characteristics defined in Sect. 2. The following conditions are considered. • Does the documentation have all of the required key characteristics? • Does the documentation have all of the required key sub-characteristics and they are in the right place? • Does the documentation have the required key sub-characteristics but they are in the wrong place?

Documentation Verification Based on Natural Language Processing

415

Firstly, define the similarity threshold as δ. If the calculated similarity value is greater δ, that mean two compared words are similar, then the result is retained, else the result is rejected and not considered any more. Three types of similarity are defined corresponding to the conditions mentioned above, as follows. 1) Key characteristic similarity Calculate the similarity between the title of the documentation outline and the expected key characteristics by formula (5). S(Wi WQj ) = sim (Wi , WQj ), ∀ i, j

(5)

where WQj is the words for the expected key characteristic, and Wi is the title words of the documentation outline. Define the maximum similarity for each expected key characteristic WQj as maxSQj , shown as formula (6). Note that if all of the similarities related to WQj less than δ, then maxSQj is set to 0, that is the key characteristic WQj is missing in the documentation.  maxSQj =

  max S(W1 WQj , S(W2 WQj ), . . . S(Wi WQj )), if S(Wi WQj ) ≥ δ ∀ i, j 0, if S(Wi WQj ) < δ (6)

2) Key sub-characteristic similarity Define two sets related to maxSQj = 0, Subi and SubQj as follows. Subi = (Wi,1 , Wi,2 , . . . , Wi,m ), ∀ i, m

(7)

SubQj = (WQj ,1 , WQj ,2 , . . . , WQj ,n ), ∀ j, n

(8)

where, WQj,n is the expected key sub-characteristic related to WQj and Wi,m is the sub-title of the documentation outline related to Wi . Similarly, the similarity between the sub-title and the expected key sub-characteristic can be calculated by formula (9). S(Wi,m WQj,n ) = Sim(Wi,m , WQj,n ), ∀ Wi,m ∈ subi , WQj,n ∈ SubQj

(9)

Define the maximum similarity for each expected key sub-characteristic WQj,n as maxSsQj,n , shown as formula (10). Note that if all of the similarities related to WQj,n less than δ, then maxSsQj,n is set to 0, that is the key characteristic WQj,n is missing in the documentation. maxSsQj,n =    max S(Wi,1 WQj,n , S(Wi,2 WQj,n ), . . . S(Wi,m WQj,n )), if S(Wi,m WQj,n ) ≥ δ ∀ i, j 0, if S(Wi,m WQj,n ) < δ (10)

416

T. Bai et al.

3) Mismatching key sub-characteristic similarity It is possible that the required key sub-characteristics are in the wrong place of the documentation. Considering this case, define two new sets of nSubi and nSubQj for maxSsQj,n = 0.   nSubi = Wi,m , ∀i, m , if S(Wi,m WQj,n ) < δ (11)   nSubQj = WQj,n , ∀j, n , if S(Wi,m WQj,n ) < δ

(12)

Then, the mismatching key sub-characteristic similarity is calculated by formula (13). Sm(Wi,m WQj,n ) = Sim(Wi,m , WQj,n ), ∀ maxSQj = 0

(13)

Similarly, define the maximum similarity for similarity of mismatching key subcharacteristic WQj,n as maxSmQj,n , shown as formula (14). Note that if all of the similarities related to WQj,n less than δ, then maxSmQj,n is set to 0, that is the key characteristic WQj,n is missing in the documentation. maxSmQ   j,n =  max Sm(Wi,1 WQj,n , Sm(Wi,2 WQj,n ), . . . Sm(Wi,m WQj,n )), if Sm(Wi,m WQj,n ) ≥ δ 0, if Sm(Wi,m WQj,n ) < δ

∀ i, j

(14) 3.3 Scoring Mechanism In order to evaluate the documentation structural integration quantitatively, a scoring mechanism is constructed, where three types of penalty are defined as follows. 1) Missing any key characteristic, defined as P1 2) Missing any key sub-characteristic, defined as P2 3) Mismatching any key sub-characteristic, defined as P3 If the documentation contains all of the required key characteristics and sub- characteristics correctly, that mean the documentation is integrated, then the score will be 100. Any above penalty will affect the integrity of the documentation, so the scoring mechanism is defined by formula (15). Sd = 100 −

3 i=1

γi Pi

where, αi (i = 1, 2, 3) is the penalty factor and satisfy the following constraints,  γ1 + γ2 + γ3 = 1 γ1 > γ2 > γ3

(15)

(16)

Documentation Verification Based on Natural Language Processing

417

and assuming the number of required key characteristics is n, and the number of required key sub-characteristics is m, then P1 = P2 = P3 =



 

pj ∀j, where pj =

100 , if maxSQj = 0 n

(17)

pj,n ∀j, n, where pj,n =

100 , if maxSsQj,n = 0 m

(18)

pj,n ∀j, n, where pj,n =

100 , if maxSmQj,n = 0 m

(19)

4 Example of Documentation Verification In order to prove the effectiveness of the proposed automated verification method for the structural integrity of documentation. The documentation of safety-critical digital I&C system and software for a native NPP are chosen and their outlines are used to test. Some samples are modified randomly based on the chosen documentation. There are 20 samples used to test finally. Parameters in the similarity calculation and proposed structural integrity calculation are given, that is, α = 1.6, β1 = 0.5, β2 = 0.2, β3 = 0.17, β4 = 0.13 and γ1 = 0.3, γ2 = 0.5, γ3 = 0.2. The results of the sample testing are shown in Table 2. The average error for verification is about 7.8%, which could prove the effectiveness of the proposed automated verification method. Table 2. Results of sample testing Samples Penalty score P1 S1

50

S2

0

S3

100

P2 P3 20 20 0

Integrity score

Expected integrity score

Error

71

67

4.00%

0 100

92

8.00%

36

0.00%

60 20

36

S4

0

40 20

76

68

8.00%

S5

50

40 20

61

49

12.00%

S6

0

80

0

60

56

4.00%

S7

50

40 20

61

53

8.00%

S8

0

40 20

76

72

4.00%

S9

100

0 60

58

70

12.00%

S10

50

0

45

41

4.00%

S11

0

60 20

66

70

4.00%

80

(continued)

418

T. Bai et al. Table 2. (continued) Samples Penalty score P1 S12

50

S13

0

S14

50

S15

0

P2 P3

Integrity score

Expected integrity score

Error

20 20

71

59

12.00%

20 40

82

74

8.00%

60

0

55

47

8.00%

0 80

84

92

8.00%

S16

0

40

0

80

76

4.00%

S17

50

80

0

45

29

16.00%

S18

0

20 40

82

70

12.00%

S19

50

40 20

61

45

16.00%

S20

50

20 60

63

59

4.00%

Average error

7.8%

5 Conclusions With the digital I&C systems are widely used in NPPs, the reliability of I&C system and software, especially of the safety-critical I&C system and software have caused widespread concerns around the world. As the most effective method to ensure the reliability of I&C systems, how to improve the quality, effectiveness and efficiency of V&V activities is a key issue. Documentation verification is one of the important V&V activities, which quality highly depends on the capability of the reviewer. In order to reduce the human factors and improve the efficiency and quality of verification, primary research on automated documentation verification method is performed. An automated documentation structural integrity method is proposed based on natural language processing is proposed. Sample tests are performed to prove the effectiveness of the proposed method. Further research will focus on automated verification of the whole documentation.

References 1. HAD 102/16: Computer-Based Safety-Critical System Software of Nuclear Power Plants. National Nuclear Safety Administration (2004). (in Chinese) 2. IEEE Std. 1012: IEEE standard for software verification and validation (2004) 3. SSG 39: Design of Instrumentation and Control Systems for Nuclear Power Plants. IAEA (2016) 4. IEC 60880: Nuclear Power Plants-Instrumentation and Control Systems Important to SafetySoftware Aspects for Computer-based Systems Performing Category A Functions (2006) 5. ISO/IEC 25051: Software Engineering - Systems and Software Quality Requirements and Evaluation (SQuaRE) - Requirements for Ready to Use Software Product (RUSP) and Instructions for Testing (2014)

Documentation Verification Based on Natural Language Processing

419

6. NUREG-0800 BTP-7-14: Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, Rev. 5 (2007) 7. NUREG/CR 6101: Software Reliability and Safety in Nuclear Reactor Protection Systems. NRC (1993) 8. IEEE Std. 830: IEEE Recommended Practice for Software Requirements Specifications (1998) 9. Ge, B., Li, F.F., Guo, S.L., et al.: Word’s semantic similarity computation method based on HowNet. Appl. Res. Comput. 27(9), 3329–3333 (2010). (In Chinese) 10. Liu, Q., Li, S.J.: Word semantic similarity calculation based on HowNet. Comput. Linguist. Chin. Lang. Process. 7(2), 59–76 (2002). (In Chinese)

Software Quality Evaluation of Non-safety Digital I&C System in NPPs Wang-Ping Ye(B) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, I&C Equipment Qualification and Software V&V Laboratory, China Nuclear Power Engineering Company Ltd., Shenzhen, China

Abstract. As an important process control system in nuclear power plants, nonsafety digital I&C system has the characteristics of numerous internal and external interface, complex functions and low development integrity level. Users pay more and more attention to the quality in each phase of its life cycle, such as design, equipment manufacturing, commissioning and verification, delivery, operation and maintenance. This paper studies the software quality evaluation process, and proposes a set of applicable regulations and standards system and quality evaluation model. The contents and key elements of quality evaluation in three important phases of life cycle process are discussed in detail, and the V&V technical requirements and quality management requirements are integrated, which provides a reference for the implementation of new building nuclear power plants and modernization projectsPer. Keywords: Quality evaluation · Verification and Validation (V&V) · Nuclear power plant · Non-safety I&C system

1 Introduction With the increasingly application of digital technology in nuclear power plant, the reliability of software is still one of the focuses of all parties. As software is a kind of logic product, its defects are mainly caused by design errors, which may exist in multiple redundant channels and components of I&C system at the same time, leading to the failure of the I&C system. System failure is closely related to its operating environment, and hardware failure often leads to software failure. For example, a fuel deformation event in a domestic nuclear power plant is caused by multiple logic errors in the upgraded nuclear fuel loading and unloading and storage system control software. The internal logic implementation of the local PLC of another nuclear power plant is unknown and frequently causes system function errors, and causes other problems such as communication interruptions, life monitoring for communication function errors. Compared with the safety I&C system, the non-safety digital I&C system has more problems in the process of design, manufacture, commissioning, operation and maintenance, such as lack of systematic reliability quantitative analysis methods, risk analysis and control methods, insufficient testing and verification methods, and the complexity of © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 420–428, 2021. https://doi.org/10.1007/978-981-16-3456-7_40

Software Quality Evaluation of Non-safety Digital I&C System in NPPs

421

transient test control. Details, in the design phase, there is a lack of complete, reliable and clear measurement and control requirements, and the suitability of design parameters is difficult to evaluate. In the manufacturing phase, the research and development integrity level and the testing strictness of non-safety I&C platform is not high, can lead to many system defects. In the commissioning phase, the analysis of important control interlocking protection functions is insufficient, and the integrity of verification is not easy to confirm. In order to achieve the expected reliability and availability of non-safety digital I&C system, verification and validation throughout the whole life cycle are required in the process of software development. At the same time, process quality evaluation is carried out to form a closed loop with the system research and development process, which is an effective means of life cycle quality risk control.

2 Standard System At present, the regulations and standards that the safety digital I&C system software follows are relatively complete, and there are many applications and practices in nuclear power plants at home and abroad. The main standards used to guide the research and development of software for non-safety digital I&C systems are also mainly focused on IEEE and IEC standards, which can be used. It is suggested to select lower level requirements for application. In addition, some requirements for common industrial standards and COTS related standards can be combined [1]. Based on the experience of safety V&V and the application practice of other industries, this paper proposes the following standard architecture to guide the software quality evaluation of nonsafety digital I&C system, as shown in Table 1 below. It is suggested that in the quality evaluation activities of the life cycle process, the requirements of the following standards should be reasonably matched and selected in each phase, and compliance review and testing should be carried out. Table 1. Standard architecture of software quality evaluation Level

Type

Standard code

Application analysis

1

Plant

HAF102-2016

Evaluation of system and software design requirements

HAD102/16-2004 2

I&C System

IEC 61513-2011

Evaluation of I&C overall structure design requirements

3

Computerized System

IEC 61508-1 2010

Check system design and functional safety defect, like dangerous/risk/hazard points

4

Software Requests

IEC 62138-2004

Evaluation of compliance with software design requirements

V&V Process

IEEE 1012-2004

IEC 61508-3 2010 TRS-384-1999

process, tasks and contents of software V&V (continued)

422

W.-P. Ye Table 1. (continued)

Level

Type

Standard code

Application analysis

5

Quality Evaluation

GB/T 25000.51-2016

Evaluation of software quality requirements, quality model in life cycle

Configuration Management

IEEE 828-2012

Review/Audit

IEEE 1028-2008

Review methodology used in software evaluations

Test Specification

GB/T 15532-2008

Guide the process of software testing, factory acceptance test, site acceptance test and site integration test

Test Documentation

IEEE 829-2008

Guide the writing of software test documents

Code Specification

GB/T 28169-2011

Check specification requirements in software programming

6

7

GB/T 16260-2006 IEEE 1042-1987

NB/T 25040-2014

GJB 5369-2005

Evaluation of software configuration management in life cycle

NUREG/CR6463-1996

Standard IEC 61513 specifies the objectives, required inputs and outputs of system and software life cycle development activities. It also specifies basic requirements for system configuration management plan, system security plan, system integration plan, system installation plan, system operation plan and system maintenance plan. IEC 61508 puts forward the requirements to effectively predict and evaluate the risks of controlled equipment during the design process and adopt the necessary safety related systems to reduce the risks. IEC 62138 stipulates the basic requirements of computer software development activities for I&C systems to carry out class B and class C functions, and supplementing and improving the relevant requirements of IEC 61513. Software of non-safety DCS suggests to refer to class C requirements of this standard. IEEE 1012 stipulates the whole implementation process of software V&V activities. GB/T 25000.51 and GB/T 15532 specify the quality requirements and evaluation requirements of software products. IEEE 828 (RG1.169) and IEEE 829 (RG1.170) respectively stipulate the requirements and guidance for the software configuration management and development documentation. NB/T 25040 specifies the guidelines for non-safety digital I&C system factory acceptance tests (FAT), site acceptance test (SAT) and site integration test (SIT).

3 Quality Evaluation Model The development process of non-safety digital I&C system in nuclear power plant is divided into requirements analysis phase, design phase, implementation phase, appraisal/finalization phase, delivery, operation and maintenance phase [2]. The requirement analysis phase includes system operation, parameters, design restrictions, instrument control, human-machine interface, system boundary, and other analysis contents,

Software Quality Evaluation of Non-safety Digital I&C System in NPPs

423

and the output file is the system requirement specification. The design phase includes regulations and standards analysis, overall architecture, function allocation, software and hardware design, etc. The output file is system design manual, which is completed by the overall design unit together with the system requirement specification. The implementation phase includes system platform design, software and hardware development, application function design, source code design, software and hardware integration, system testing and confirmation testing. The output files are the delivered equipment, supporting documents and records, which are completed by the equipment manufacturer. The appraisal/finalization phase includes independent evaluation by a third party, site installation test, commissioning, etc., which is completed by the installation and commissioning unit. The output files are the systems and equipment that have passed the commissioning, supporting documents and records. Software quality management activities run through the entire system development process described above. Implement complete quality management including the determination of quality indicators, the design and implementation of quality indicators, and the testing and verification of the satisfaction degree of quality indicators. Comprehensively demonstrate the suitability and sufficiency of various activities of system development, focusing on whether the equipment provided by the equipment manufacturer can meet the reliability requirements of the target application. The specific quality evaluation model is shown in Fig. 1 below.

Soware Life Cycle Process

SoWare Requirement Analysis

Soware Design

SoWare Realizaon

SoWare Authencaon

Soware Verificaon and Validaon Soware Quality Analysis and Assessment SoWare Quality Index Determinaon

Design and Implementaon of Soware Quality Index

Soware Delivery and Operaon

(V&V)

Soware Quality Analysis and Assessment

SoWare Test and Verificaon

Delivery and Operaon Maintenance

Soware Quality Management

Fig. 1. Quality evaluation model of software

4 Evaluation Key Points 4.1 Design Phase The design phase is the source of the life cycle of the software. The design requirements are converted into the detailed design of each finished product, including the control logic diagram, I/O list and set point manual. The correctness, completeness and consistency of control logic and requirement allocation directly affect the development of I&C system software and the use of end users. Therefore, carrying out design quality evaluation

424

W.-P. Ye

is the key activity to ensure the correct realization of user requirements. The purpose of quality evaluation activities in the design phase is to verify that I&C design is the correct, accurate and complete transformation of design requirements, and no unexpected features are introduced to ensure the correctness, completeness, accuracy, readability and consistency with upstream input of design documents. The following contents must be considered in the design quality evaluation: the completeness and clarity of I&C function requirements specification, the consistency between I&C function requirements and I&C platform, the compliance of I&C function requirements specification with corresponding engineering requirements (e.g. codes, symbols, etc.), the correctness and completeness of requirements as design inputs, the correctness of each I&C function module, and the consistency between each I&C function. We should focus on the verification and validation of digital I&C system regulate functions, regulate parameter settings and other important matters that are easy to cause turbine and reactor jumping events, verify the suitability of control logic and design parameters. The main tasks of design quality evaluation include: design function and interface verification, parameter verification, requirement sorting and itemization, and requirement traceability analysis [3]. Focus on checking the integrity of LD/AD, that is, ensure that each line, each function block, each interface and each note in LD/AD are covered and verified. The input and output files of design phase evaluation are shown in Table 2 below. Table 2. Input and output of design phase evaluation Work tasks

Items

Foundation documents

Verification ddocument

Diagram verification

Forward

Control measurement requirements contract technical appendix

LD/AD I/O List

Backward

LD/AD I/O List

Control measurement requirements Contract technical appendix

/

Control measurement requirements LD/AD

Set point manual

Parameter validation

Design quality evaluation methods mainly include static verification methods and dynamic verification methods. The static verification method does not need to use verification tools, and is completed by static inspection and analysis of design documents based on personnel with design review qualifications. The verification method based on dynamic experimental test refers to using software or hardware to simulate the design behavior, and then finding the problems existing in the design through dynamic operation. It is to set a certain scene for the testers to carry out actual operation and give evaluation

Software Quality Evaluation of Non-safety Digital I&C System in NPPs

425

conclusions according to the test results. The simulation platform should have the functions of process model simulation, control model simulation and human-machine interface. It adopts the method of analyzing configuration diagram data package and reconstructing control diagram, then import LD/AD into the simulation verification platform, and dynamically integrate the power plant process model and human-machine interface. According to the power plant operation conditions and relevant design requirements, test cases are designed to implement dynamic verification. 4.2 Equipment Manufacturing Phase In the equipment manufacturing phase, the equipment supplier completes the software and hardware realization activities, that is, converting the software design into source code, database structure and related executable machine representations. The software quality evaluation involves software coding testing and simulation testing to verify that these conversions are correct, accurate and complete. The main tasks of equipment manufacturing quality evaluation include: system document conformity review, control station configuration document review, requirement traceability analysis, interface analysis, experience feedback issue review. Focus on verification and review of diagrams and signals. The other part is application algorithm block review and software confirmation testing [4]. The methods involved include static testing methods and dynamic testing methods. The input and output files are shown in Table 3. Table 3. Input and output of equipment manufacturing phase evaluation Work tasks

Items

Foundation documents

Verification documents

Diagram tracing

Forward

Logic/Analog Diagram

Typical Functional Configuration Diagram Source Code

Backward

Typical Functional Configuration Diagram Source Code

Functional Diagram

Forward

Set point Manual I/O List Cabinet Detailed I/O List

Backward

Cabinet Detailed I/O List

Set point Manual I/O List

Forward

Software Function Block Requirements Specification Coding specification

Function Block Source Code

Backward

Function Block Source Code

Software Function Block Requirements Specification Coding specification

Signal tracing Algorithm block test

(continued)

426

W.-P. Ye Table 3. (continued)

Work tasks

Items

Foundation documents

Verification documents

Confirmation Test

Forward

System/Scheme Description Requirements Specification Contract Technical Appendix

Test Plan, Test Procedure, Test Report Computer Integration System

Backward

Test Plan, Test Procedure, Test Report Computer Integration System

System/Scheme Description Requirements Specification Contract Technical Appendix

The evaluation of equipment manufacturing quality should focus on the pure software problem, including the important logic that is easy to cause common cause failure (CCF) or turbine and reactor jumping, the engineering applicability of non-safety digital I&C platform, and the testing of software algorithm block that as the basis of the application software function realization. Like the software test of safety digital I&C system, the test methods of non-safety I&C system mainly include document review, code walkthrough, code analysis, unit test, integration test and system test. The test requirements are shown in Table 4. 4.3 Commissioning Phase Commissioning verification is to conduct a comprehensive inspection of the equipment and system after installation, so as to ensure that the individual equipment and overall performance of the non-safety digital I&C system meet the design requirements and relevant operation criteria. The aim is to verify the output results of the previous phase such as design and manufacturing, further investigate the potential and legacy software and hardware or system interface problems after FT/FAT, and finally ensure that all control protection system meet the functional design requirements. Because of the use of CPU, complex communication and network technology, a large number of tests are allowed in the factory environment. Functions that have been fully tested in the factory tests do not need to be retested during commissioning. The main tasks of site commissioning verification quality evaluation include I/O inspection, interface verification, actuator transmission or partial function testing. The input and output files of commissioning evaluation are shown in Table 5 [5]. Simulation technology is recommended for commissioning non-safety digital I&C system. Research and develop of semi-physical testing equipment or other portable commissioning and verification tools. The commissioning device is connected to the cabinet of the target I&C system in the way of hard-wired; complete the site functional test or transient simulation analysis before the unit starts. After the unit fuel loading is

Software Quality Evaluation of Non-safety Digital I&C System in NPPs

427

Table 4. Test requirements of algorithm block Method

Type

Requirements

Static

Document review

Review the accuracy, non-ambiguity, standardization and readability of the document. Review of consistency with upstream design documents

Code Walktthrough Check in terms of traceability, logic, data, interfaces, comments, exception handling, memory, etc. Code analysis

Dynamic Unit test

Use code analysis tools, check the array cross-border, pointer, security vulnerability, variable uninitialized, data flow, annotation rate and coding specification Unit tests of all algorithm blocks and calling functions. Complete the test and analysis of statements, branches and MC/DC coverage, and analyze and explain with coverage less than 100%. Test cases need to involve logic testing, functional testing, performance testing, interface testing and boundary testing

Integration Test

Through the incremental step-by-step integration method, each algorithm block that has passed the unit test is gradually combined for testing. Test cases need to involve functional testing, interface testing, data structure testing, resource testing, priority conflict testing, performance and stability testing, etc.

Table 5. Input and output of commissioning phase evaluation Work tasks

Items

Foundation documents

Verification documents

Commissioning verification

Forward

Design documents (System design manual, set point manual, Equipment operation and Maintenance manual), Installation documents, Test Documents (Commissioning plan, Commissioning procedures)

Integrated System (Hardware, Software source code, user documents, configuration data, etc.)

Backward

Integrated System (Hardware, Software source code, User documents, Configuration data, etc.)

Design documents (System design manual, Set point manual, Equipment operation and Maintenance manual), Installation documents, Test documents (Commissioning plan, Commissioning procedures)

428

W.-P. Ye

started to the 100% power platform, closed-loop response tests and transient operation verification based on actual working conditions are repeatedly arranged. Finally, hidden and potential configuration design, parameter setting and interface problems of digital I&C system are investigated through iterative testing and complex operation conditions verification in different stages. The dynamic response test of control parameters and the test of process control parameters cannot be completely carried out in factory testing and single system testing. Full scale simulator also seldom carries out verification on system interlock, network signal transmission and equipment interface, and cannot effectively verify the process control logic of analog quantity. Therefore, the commissioning verification should identify the important control interlock protection functions of the unit, analyze the related measurement control channel function design and interface influence of the I&C critical components (CCM1). Sorting out the verification items that factory test (FT)/factory acceptance tests (FAT) in the design phase and equipment manufacturing phase based on simulation technology or full scale simulator virtual DCS system (FSS) that cannot be implemented (such as verification of the first operation condition, the verification that real equipment actions or acceptance criteria have time requirements for loop system response). Sorting out the verification items that mandatory required of regulations and standards or regional power grid supervision, and other special verification (such as EMC, performance assessment, etc.).

5 Conclusions With the increasing number of new nuclear power building projects and in service power plant modernization projects, safety regulators and power plant owners are paying more and more attention to the software quality of non-safety digital I&C systems. Quality control means gradually transition from equipment supplier factory verification to thirdparty independent verification. The quality evaluation strategy of non-safety digital I&C system proposed in this paper can provide a working and planning idea for all parties.

References 1. IAEA-TECDOC-1016: Modernization of instrumentation and control in nuclear power plants 2. IEEE 1012–2004: IEEE Standard for Software Verification and Validation 3. Guang-Xin, Z., Zhi-Yong, L.: Non-safety I&C system control logic design verification based on design analyzer of CAP1400 Nuclear Power Plant. Chem. Autom. Instrum. (43) (2016). 4. Lei, C., Miao, T., Song, W.: Non-safety DCS testing of nuclear power plant, China Computer & Communication, No. 24 (2016) 5. NB/T 25040-2014: Non-safety classified digital control system in nuclear power plants factory acceptance test (FAT), site acceptance test (SAT), and site integration test (SIT)

Preliminary Study on Improving the Automation Level of Large Commercial Pressurized Water Reactor Dong-Bao Lv, Ri-Gang Chen(B) , and Xi-Yun Li China Nuclear Power Engineering Co., Ltd., Beijing 100840, China [email protected]

Abstract. Digital instrumentation and control (I&C) system has been widely applied on large commercial pressurized water reactors (PWR), which brings significant convenience to their operation. However, the level of automation and operation efficiency of nuclear power plant is still lower than conventional power plant such as thermal power plant or hydro power plant. On one hand, the safety and reliability requirement of nuclear power plant always chooses the mature and proved technology, but not the emerging technology such as artificial intelligence. On the other hand, the complexity of system design and operation requirement also makes it difficult to improve the automation level of nuclear power plant. To deal with these difficulties, a statistical analysis has been given to identify the challenges on improving the automation level. And a framework of plant level autonomous is given to illustrate how to organize the techniques and algorithms available to reach this goal. For the new functions, algorithms and equipments that involved in the framework, the requirement of nuclear safety should be considered. Therefore related requirements that need to be addressed are also discussed in this paper. Keywords: I&C system · Pressurized water reactor · Artificial intelligence · Smart plant

1 Introduction Nuclear energy contributes about 5% of electricity in China. Among the 59 nuclear power units in operation or under construction in China, 55 of them are pressurized water reactor [1]. In recent year, digital I&C system is used in newly built PWR to increase the automation level and operation efficiency. Advanced technologies and concepts such as artificial intelligence (AI) and smart plant that already widely applied in conventional power plant may further improve the automation level of PWR. But the consideration in nuclear safety makes the application of those technologies remain in preliminary stage in PWR [2]. To promote the development of smart nuclear power plant and improve the automation level, safety and economy factor should be focused. From safety aspect, there are comprehensive safety system design and operation procedure to deal with nuclear accident in PWR, which is not exist in conventional © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 429–435, 2021. https://doi.org/10.1007/978-981-16-3456-7_41

430

D.-B. Lv et al.

power plant. Therefore the automation level of PWR is not only defined by its normal operation condition, but also related to the performance in accident condition. A target automation level of PWR can be defined as “unmanned surveillance, few people on duty”. “Unmanned surveillance” refers to the maximized level of automation when the plant is operated in normal situation. “Few people on duty” refers to the minimized number of staff that should be always ready to deal with nuclear accident, which is the minimized level of automation that need to consider all possible situation that may happen in accident condition. By increasing the automation level, the safety of PWR can be also improved as less human operation will reduce the possibility of human error, which is a main cause of many nuclear accidents. From economic aspect, the difference in cost distribution between nuclear power plant and conventional power plant also make the target of a smart nuclear power plant different with that in thermal power plant. The fossil fuel is the main cost of a thermal power plant, which makes the optimization in control and automation functions when developing smart power plant is highly focus on fuel efficiency. On the contrary, the fuel cost of PWR only contributes to a small part of its total cost. And once the fuel loaded, its efficiency can be maximized by full power output. The improvement on level of automation contributes to the economic performance from the aspects of reducing number of operation staff and process optimization in auxiliary systems. This can improve the economic performance but is less significant compared with that in thermal power plant. Meanwhile, using smart techniques and equipments to decrease the time for maintenance and periodic shutdown can significantly increase the economic benefit for PWR, but it is not the topic of this paper. Based on the above condition, this paper analysis the challenges on improving automation level of PWR based on a statistical analysis for the task of operator. To systematic deal with those challenges, a framework of autonomous operation is given to improve the automation level and operation efficiency of PWR. Other than functional design, consideration of nuclear safety is also discussed in this paper to guarantee a reliable implementation of smart nuclear power plant.

2 Current Status Improving the automation level of large commercial PWR is too general to discuss and provide focus point for implementation. To make it more specific, a statistic analysis about task of control room operator has been carried out to find what kind of task limit the level of automation and how to solve it. The operation task of control room operator generally includes monitoring and control through HMI of I&C system, communicate with other staff, decision making and use 3rd party equipment (e.g. physical protection or grid coordination equipments). The basis for statistic analysis is selected from the emergency operation procedure of HPR1000 PWR. HPR1000 is a third generation PWR with digital I&C system and control room. It has eight units under construction in China and may represent the mainstream PWR technology in China for the following years. The reason that selects emergency operation procedure for analysis is that it contains many complex situations that the operator need to deal with in accident situation, which is difficult to realize by automation logic. From the analysis result, operation tasks that

Improving the Automation Level of Large Commercial Pressurized Water Reactor

431

divided to procedure step level can be identified as: “Automatic logic alone”, “Require AI or advanced algorithm”, “Require local operation”. Table 1 shows the statistical result. Table 1. Statistic analysis for operation tasks Automatic logic alone

Require AI or advanced algorithm

Require local operation

Require both

Total steps

Number of steps

791

243

132

25

1191

Percentage of steps (not overlapped)

66.4%

20.4%

11.1%

2.1%

-

Percentage of steps (overlapped)

66.4%

22.5%

13.2%

-

-

About “automatic logic alone” that takes about 66.4% of steps, it means the task can be completed by traditional automatic approach such as sequence control, group control or close loop control. The reason that this kind of tasks is not automatically implemented is that the operation procedure in accident situation involves complex decision branches and parallel tasks that cannot be realized by traditional sequence control. And those steps are separated by other steps that cannot be automatically implemented, which brings break point on control sequence. To improve the level of automation for those steps, a schedule mechanism is required and the break points between steps should be addressed by other approach. About “Require AI or advanced algorithm” that takes about 22.5% of steps, this kind of tasks may require knowledge or experience based decision making of human operator. It can be implemented by artificial intelligence model that use operation record as input, or can be implemented by advanced control algorithm such as fussy controller, adaptive controller, model recognition etc. [3–5]. The fast development of artificial intelligence brings an alternative approach to improve the level of automation, which has been proved to be effective in thermal power plant but remains in research stage for nuclear power plant. For the application in PWR, on one hand safety and reliability should be considered. On the other hand, there are still some tasks such as decision making based on experts or external information, cannot be automatically implemented by AI or advanced algorithm. Improve the automation level in this aspect need task based application of AI or advanced algorithm, as well as I&C equipments with the capability to implement those algorithms. About “Require local operation” that takes about 13.2% of steps, it generally contains two kinds of situations. One is the capability of I&C system cannot execute field tasks within I&C system, so that it need to be done by local operator. The other is manual confirmation of task execution for safety purpose. To deal with these situations, a smart I&C system that extend the capability on instrument, actuator and automatic field

432

D.-B. Lv et al.

inspection device can reduce the workload of manual operation in field. Speech recognition can also be used to reduce the workload of control room operator when assigning job to field operator or conducting communication tasks with staff outside control room. Similar analysis has also applied on normal operation procedure with similar conclusion, while it need more support from local operation and less support from AI or advanced algorithm. To address these detail challenges, it may begin with fully make use of the capability of digital I&C system to implement tasks that requires “automatic logic alone” in automation system. And a frame that can organize these tasks should be established. Then extend the hardware and software capability of I&C system to provide platform for the implementation of advanced automatic functions. Then software related to AI or advanced algorithm, and hardware that can improve the efficiency of local operation, can be gradually implemented in PWR as their reliability grow with application experience.

3 Framework on Improving the Automation Level As the operation tasks are analyses in step level and can be solved by individual technologies, a framework that can organize those individual functions to complete a plant level operation task or process is necessary to improve the level of automation for PWR. A classic structure of intelligent control by Saridis has three levels: organization level, coordination level and execution level [6]. Based on this model, Fig. 1 shows how this structure matches with the function analysis and organization in an I&C system of PWR with the capability of autonomous operation.

Fig. 1. Functional structure of a framework on improving the automation level

When apply this three-layer structure to the operation requirement of nuclear power plant, the organization level will plan the safety and availability target, such as set the plan of electrical power, which is the top level requirement of nuclear power plant. Then in the design of nuclear power plant, the top level target will be broken down into system level requirement following a functional analysis process. And the coordination level will implement these functions, determine the feasibility of functional targets, and

Improving the Automation Level of Large Commercial Pressurized Water Reactor

433

carry out the plan and strategy to reach the operation goal. Execution level contains the functional module for each individual steps and can be called to perform desired task when necessary. Under this structure, the application of AI, advanced algorithm and equipment will gradually increase the percentage of task steps that can be automatically executed by I&C system. Then the level of automation can be improved with a schedule mechanism in coordination level to link each single step to a plant level process. For a long term goal, with a deeply application of AI and other advanced technology that enable nearly all tasks in execution level (some tasks such as get suggestion from technical support center, coordinate with emergency response, chemical sampling and analysis may still need human operation, but the interface with control room operator can be automatically implemented by speech recognition), a coordination level automation that can automatically complete plant level process and procedure will be achievable. Then the operation interface for operator will remain in organization level to set the target for power generation and monitor the safety status of the plant.

Human Interface

Task Schedule Module Call Start, Stop, Abort, Reset, Jump to

Status feedback

Conflict feedback

Execution Module

Input signals related to control process

Main Line Step Set Current step for task 1

Priority Module

Output to traditional I&C control module

Current step for task N Continuous Step Set Continuous step 1 Continuous step N

Speech Interaction and Interface with External Equipments

Fig. 2. Framework for schedule mechanism in coordination level

For the schedule mechanism in organization level, Fig. 2 shows a framework that will address the following issues arisen in challenges analysis: • Complex procedure sequence with decision branches and continuous steps; • Parallel tasks execution with confliction and priority management strategy; • Speech recognition and interface with equipment outside I&C system. In this framework, a task schedule module will manage all of the processes in execution. It will keep track of the current step in each process. If confliction on command

434

D.-B. Lv et al.

appears, it will analysis the priority of tasks and reschedule them by start, stop, abort, reset or jump to steps that currently under execution. As the confliction has been addressed, execution module will process multiple parallel steps and provide status feedback to task schedule module. For each plant level process or procedure, it has a current step to indicate current position and progress of that process or procedure, while it may have multiple continuous steps that need to be addressed within a period of time. These kinds of steps are managed by two step sets: main line step set and continuous step set. Conventional logic, AI or other advanced algorithm are embedded in a standard interface for the implementation of each step, so that they can be controlled and managed by task schedule module and execution module. The algorithm in each step will process related input signal, then output control command through I&C system or other external interface such as automatic speech interaction with field operator. For multiple tasks that send conflict command to one equipment, a priority module will detect the confliction, give conflict feedback to task schedule module and output command with higher priority to equipment level logic in I&C system. For field operation that out of the scope of I&C system, a speech interaction system can complete communication task for control room operator to field operator or other related staff. And an interface with external equipment such as unmanned aerial vehicle (UAV) or robot for field inspection will reduce the number of break point due to local operation. Based on this framework, if the research and development on algorithm and equipment can automatically execute each step in the operation task, then a management and schedule framework will provide the function of plant level autonomous operation, and the operator task will remain on setting the operation target and monitoring the safety status of PWR.

4 Discussion and Conclusion For the framework and corresponding new functions, algorithms and equipment that involved in the framework, the requirement of nuclear safety should be considered. Industry level I&C system that support AI or advanced algorithm has been widely applied in conventional power plant and many other industry areas. But nuclear safety has higher requirement on reliability than other industry area. From hardware aspect, equipment qualification should be carried out to ensure the equipment can withstand earthquake, radiation, electromagnetic interference or other extreme environment. From software aspect, a verification and validation process should be carried out to ensure the correctness and effectiveness of advanced algorithm [7]. Without these qualification processes, it cannot be used to perform safety related operation task in accident situation. Therefore the number of staff for operation will not be reduced and the level of automation of PWR cannot be significantly improved. So these processes are necessary for the advanced algorithm and equipment to deeply applied and improve the level of automation of large commercial PWR. The improvement on level of automation may reduce the possibility of human error and increase the safety of nuclear power plant. However, possible negative impact of advanced I&C functions should also be considered. Advanced algorithms such as neural

Improving the Automation Level of Large Commercial Pressurized Water Reactor

435

network are black box model and their uncertainty should be considered. A general principle of this kind of application is using sufficient test cases and a safety analysis to ensure it should not have negative effect on the original safety function [8]. A priority control and manual override approach also can be used to eliminate possible negative effect. Beyond the consideration of I&C system design, too few manual operations may also lower the awareness of human operator, which may have negative effect on human factor engineering and therefore impact the safety of nuclear power plant. So the human factor should also be reevaluated during the implementation of advanced I&C functions. As a summary, latest development and application of AI and smart plant technologies make it possible to further improve the level of automation of large commercial PWR. To approach this goal, task based algorithm application and a framework to organize plant level autonomous operation should be implemented, while the impact on nuclear safety should be considered during this process. With the growing application experience of AI and other advanced technology, the autonomous operation of nuclear power plant may stepwise enter into industry application.

References 1. Power Reactor Information System Database of International Atomic Energy Agency. https:// www.iaea.org/resources/databases/power-reactor-information-system-pris. Accessed 13 July 2020 2. Wood, R.T., Upadhyaya, B.R., Floyd, D.C.: An autonomous control framework for advanced reactors. Nucl. Eng. Technol. 49, 896–904 (2017) 3. Wang, X.-K., Yang, X.-H., Liu, G., Qian, H.: Adaptive neuro-fuzzy inference system PID controller for SG water level of nuclear power plant. In: Proceedings of the Eighth International Conference on Machine Learning and Cybernetics, pp. 567–572. IEEE, Baoding (2010) 4. Al Masri, H.F.: Adaptive neural network algorithm for power control in nuclear power plants. J. Phys. Conf. Ser. 781, 012052 (2017) 5. de Oliveira, M.V., de Almeida, J.C.S.: Application of artificial intelligence techniques in modeling and control of a nuclear power plant pressurizer system. Prog. Nucl. Energy 63, 71–85 (2013) 6. Saridis. G.N.: Entropy in Control Engineering. World Scientific Publishing Co Pte Ltd., Singapore (2001) 7. Delafield, J.P.: Safety cases for use of smart devices in existing nuclear power stations – “getting the balance right”. In: International System Safety Conference Incorporating the Cyber Security Conference, pp. 1–6. IET, UK (2014) 8. Hines, J.W., Garvey, D., Seibert, R., Usynin, A.: Technical Review of On-Line Monitoring Techniques for Performance Assignment. United States Nuclear Regulatory Commission, Rockville (2008)

Research and Application of FPGA V&V Technology in NPP Safety I&C System Sheng-Chao Wang(B) , Wang-Ping Ye, and Tao Bai State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China

Abstract. As a diversified means of microprocessor technology, FPGA technology has been adopted in an I&C system important to safety independently developed by a Chinese nuclear power group due to its advantages of reducing the overall complexity of NPP I&C system and effectively solving the hidden dangers of DCS common cause failure. Internationally, FPGA V&V technology for NPP I&C system important to safety, is still under discussion and has not yet formed a consensus operating standard. However, the domestic FPGA regulations and standards in the field of nuclear power are not perfect, and the engineering practice experience is insufficient. All kinds of V&V technologies, methods and their engineering applications are being explored and improved. Therefore, it is urgent to solve the engineering application problem of FPGA V&V technology in digital systems that perform safety important functions in the field of nuclear power. Through the research on relevant regulations and standards of FPGA V&V for NPP I&C system important to safety, A FPGA V&V general technical scheme and method system suitable for NPP I&C system important to safety is established, and the application effects of the scheme and method is tested in project practice. Finally, the technical key points in the process of FPGA V&V for NPP I&C system important to safety are summarized. Keywords: I&C system · Safety · FPGA · V&V

1 Introduction After the the gradual application of digital Instrumentation and Control (I&C) system in Nuclear Power Plant (NPP), in order to ensure that I&C system important to safety based on computer system can achieve the expected safety and reliability goals, many international and national standards explicitly require I&C systems to have diversified characteristics. As a diversified means of microprocessor technology, Field-Programmable Gate Array (FPGA) technology has been adopted in the reactor pressure vessel level measurement system, an I&C system important to safety independently developed by a Chinese nuclear power group due to its advantages of reducing the overall complexity of NPP I&C system and effectively solving the hidden dangers of DCS Common Cause Failure. When FPGA-based system or equipment is used to implement safety

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 436–443, 2021. https://doi.org/10.1007/978-981-16-3456-7_42

Research and Application of FPGA V&V Technology

437

function, the system or equipment needs to meet the requirements of the national regulatory authorities, as well as the appraisal requirements of the owners and purchasing units. Internationally, FPGA verification and validation (V&V) technology for NPP I&C system important to safety, is still under discussion and has not yet formed a consensus operating standard. However, the domestic FPGA regulations and standards in the field of nuclear power are not perfect, and the engineering practice experience is insufficient. All kinds of V&V technologies, methods and their engineering applications are being explored and improved. Therefore, it is urgent to solve the engineering application problem of FPGA V&V technology in digital systems that perform safety important functions in the field of nuclear power. The main contents of this study include carrying out the research on relevant regulations and standards of FPGA V&V for NPP I&C systems important to safety, establishing the technical scheme and method of FPGA V&V suitable for NPP I&C systems important to safety, testing the application effect of the scheme and method in the project practice, and summarizing the technical key points in the process of FPGA V&V.

2 Standard Research Before establishing an FPGA V&V scheme suitable for NPP I&C systems important to safety, it is firstly necessary to clarify the relevant standard requirements, FPGA V&V activities and tasks to be executed corresponding to different safety function, and the technologies and methods used to execute FPGA V&V activities and methods. Relevant standards and reports of FPGA V&V for NPP I&C systems important to safety, are shown in Fig. 1.

IEC 60880-2006 IEC 60987-2007

IEC 62566-2012 IEC 62138-2004

IEEE 1364-2005

IEEE 1012-2004

GB/T 33783-2017

IAEA TRS 384-1999

NUREG/CR-7006-2010

Requirements

V&V Activities and Tasks

Techniques and Methods

Fig. 1. Relevant standards and reports of FPGA V&V.

IEC 60987 specifies the hardware design requirements for NPPs Class 1 and Class 2 computer-based system [1], including hardware requirements, V&V, identification, manufacturing, installation and commissioning, maintenance, operation and other related

438

S.-C. Wang et al.

contents. It is applicable to the new hardware design of NPP Class 1 and Class 2 computerbased system, as well as to the design process and design verification of programmable logic devices. IEC 62566, supplements IEC 60987 [2], is targeted at HDL-Programmed Devices (HPD) development activities. It proposes a method for HPD requirements, design, implementation, verification, analysis and selection of blank integrated circuits, microelectronic process devices and HPD development using pre-developed bocks (PDB), procedures for HPD modification and configuration control, and requirements for selection and use of software tools developed by HPD. IEC 60880 specifies the requirements for NPP I&C systems important to safety – software aspects for computer-based systems performing category A functions [3], which is applicable to obtaining highly reliable software and involves every stage in the process of generating and documenting software, including requirements specification, design, implementation, verification, confirmation and operation. IEC 62138 sets out the requirements for NPP I&C systems important to safety – software aspects for computer-based systems performing category B or C functions [4], which is applicable to each stage of the NPP life cycle of software’s computer-based systems. IEEE 1012 is a process standard that defines V&V processes in terms of specific activities and related tasks [5], and also defines V&V plans. The V&V process provides objective evaluation of products and processes throughout the life cycle to prove whether the requirements are correct, complete, accurate, consistent and measurable, and to determine whether the development product of a given activity meets the requirements of the activity and whether the final product meets its intended use and user requirements. IAEA TRS 384 is a software V&V standard in NPP I&C [6]. It introduces the security level and software type, software development related activities and documents, and software verification and confirmation activities. IEEE 1364 [7], as the complete specification of Verilog hardware description language, mainly introduces the formal syntax and semantics of all VHDL structures, the tasks and functions of simulation system, such as text output display commands, compilation instructions, such as text substitution macros and simulation time scales, the connection mechanism of programming language interface (PLI), application examples, etc. NUREG/CR-7006 is a guidance report on FPGA review of NPP safety systems [8]. It mainly introduces FPGA design practice, design entry methods and design methodologies. The design methodologies include design for safety, FPGA selection, design tool selection and design flow. GB/T 33783 is a testing guide for programmable logic devices [9]. It is suitable for testing the programmable logic devices and specifies the requirements for programmable logic devices such as purpose, content, management, level, process, type and method.

Research and Application of FPGA V&V Technology

439

3 FPGA V&V Scheme 3.1 Research Route The research route of the FPGA V&V scheme is to fully learn from the good practice of software evaluation in aerospace and military industry. Absorbing the successful experience of V&V project on pure software of nuclear safety digital I&C system, relying on FPGA-related scientific research projects to carry out FPGA V&V technology research, and relying on the FPGA V&V project of NPP I&C system (A Prototype) important to safety to carry out practice and refinement, a relatively mature set of FPGA V&V technology schemes, technologies and methods suitable for NPP I&C system (A Prototype) important to safety has been formed, and the final results have been popularized and applied in the market to create economic benefits. The research route of the FPGA V&V scheme is shown in Fig. 2.

Good Practices/ Successful Experiences

Technical Research

Forming Scheme of Prototype V&V Practice

Engineering Application and Popularization

Fig. 2. The research route of the FPGA V&V.

3.2 Scheme Model For category A/B/C functions, general V&V scheme research has been formulated respectively. The standards related FPGA-based I&C system important to safety for nuclear power include IEC 62566, which implements Category A functions. However, the standard IEC 62556-2, which implements category B/C, has not been officially released. On the foundation of standard research, referring to IEC 62566/IEC 60880/IEC 62138 and other related standards or reports, the general research of performing category A/B/C functions by FPGA is carried out. The FPGA V&V general scheme is shown in Fig. 3, which is different from the pure software (such as embedded software) V&V technology, that is, it fully considers the software-like development process and design flexibility of the system development process with FPGA as the core, and also fully pays attention to the reliability with respect to random failures and the environmental withstand apply. This includes the faults due to single event upset (SEU) and neutron/alpha radiation when relevant. The process in the scheme of Fig. 3 is different from the V&V process of pure software in that: 1. V&V is required to consider the electrical and timing performance of FPGA, such as setup and hold time of input signal, operating frequency, delay information, etc. 2. Pure software V&V carries out code testing from the implementation V&V, FPGA V&V carries out RTL code function simulation testing from the detailed design V&V, and the simulation testing needs to pay attention to the correctness of the jump state of the state machine.

440

S.-C. Wang et al.

3. The simulation testing after synthesis/place and route should pay attention to the timing, and analyze the timing under the best/worst/typical three working conditions for the cable realization after place and route, and analyze whether the establishment and holding time of each register is illegal.

System Requirements Specification Concept V&V

Verification

Test V&V

System Design Specification Summary Design

Validation

System Integration

Verification

Details Design V&V Requirements V&V

RTL Coding

Code Review and Analysis

FPGA Requirements

Functions Simulation

Summary DesignV&V Design V&V

Implementation V&V Logic Synthesis

Verification

Details Design V&V

Logic-Level Simulation

FPGA Design

Timing Simulation place and roule

Static Timing Analysis

Implementation V&V

Verification FPGA Implementation

Hardware Implementation

Fig. 3. FPGA V&V general scheme.

3.3 V&V Activities and Tasks According to the requirements of performing category A functions and referring to the V&V requirements of IAEA TRS 384, the scheme matches the activities and tasks of IEEE 1012 software integrity level 4, and summarizes the specific tasks and common tasks of the five major phases in Table 1. The V&V plan report should be compiled and published at the beginning of the V&V project planning, and the V&V summary report should be summarized and published after the V&V work is completed. On the summed-up FPGA V&V task foundation for performing category A functions, FPGA V&V tasks for performing category B/C functions can be adaptively deleted on category A foundation. The activities and tasks at each phase is shown in Table 1. 3.4 V&V Techniques and Methods The scheme includes FPGA V&V method system of NPP I&C systems important to safety, which combines dynamic/static test methods and integrated application of review/analysis/test technology, including document review, code review, traceability analysis, FMEA, code static analysis, static timing analysis, functions simulation, logic-level simulation, timing simulation, black box testing, white box testing. The comprehensive application of dynamic/static test methods combined with review/analysis/test technologies better meets the requirements of depth and breadth

Research and Application of FPGA V&V Technology

441

Table 1. The activities and tasks at each phase.

of activities and tasks of FPGA V& for NPP I&C systems important to safety, and the principle requirements of diversified technical means in NPP important to safety fields. Diversified, multi-dimensional and traceable comprehensive measurement methods fully guarantee the research and development quality of FPGA for NPP I&C system important to safety. Specifically: 1. Design check and traceability analysis realize 100% measurement of positive and negative traceability of FPGA requirements. 2. According to the requirements of IEC 62566 about FPGA, referring to NUREG/CR7006, a coding rule set suitable for FPGA-based NPP I&C system important to safety is developed, and the coding rules are integrated into LEDA tool. Static analysis of code rules and dynamic testing of function simulation realize 100% measurement of RTL code coding specification and test coverage (function, statement, branch, state machine, etc.).

442

S.-C. Wang et al.

3. Static timing analysis and gate level/timing dynamic simulation determine that postroute analyses or simulations (taking into account the post-route liming information, or back-annotations) shall confirm the cycle by cycle equivalence of the postroute description to the RTL description for fastest and slowest cases, including initialization. 4. The comprehensive use of LEDA, MODELSIM, SMARTIME and other automated testing tools effectively reduces human errors and improves testing reliability. 3.5 Application Effect The quality improvement contribution of FPGA V&V scheme application in NPP I&C system important to safety is as follows: 199 anomalies were found in the prototype development stage and 53 anomalies were found in the engineering application stage. Typical anomalies include: 1. The clock edge of the data transfer trigger is inconsistent with the chip manual. 2. State machine error (no three-stage coding, state jump error). 3. Treatment defect of metastable state (secondary latch is not implemented to eliminate metastable state). 4. Anti-shake design when gear switching is not realized. 5. The response time exceeds the limit. The FPGA V&V scheme of this research has been approved by experts in the field of nuclear power in China. Experts agree that: 1. The V&V process is standardized, the work is rigorous, the independence requirements are met, and the provisions of relevant laws and standards are met. 2. The V&V work effectively guarantee that FPGA quality of NPP I&C system or equipment important to safety. In addition, it also meets the FPGA-related regulatory requirements of the nuclear safety administration of China on the design and manufacture of safety equipment. And the FPGA V&V technology has also been widely used in the nuclear measurement system outside the reactor and the main pump speed measurement device.

4 Conclusions FPGA V&V technology of NPP I&C system or equipment important to safety solves the engineering application problem of digital system/equipment FPGA V&V that performs safety important functions in nuclear power and other safety key fields. It can effectively improve the safety and reliability of domestic independent research and development safety important digital I&C systems/equipment, break down foreign technical barriers, and further reduce the construction cost of nuclear power projects. This research has achieved technological innovation and breakthrough in FPGA V&V technical scheme and method system, and has established a set of reasonable and feasible FPGA V&V

Research and Application of FPGA V&V Technology

443

system and engineering application scheme for NPP I&C system or equipment important to safety. The application of this FPGA V&V technology needs to be based on the requirements of different levels of safety function, matching V&V activities and tasks that adapt to the depth and breadth of safety function. In particular, it is necessary to develop hardware description language coding specifications suitable for NPP I&C system or equipment important to safety. Only in this way can the codes be effectively checked and analyzed. At the same time, the software-like development process and design flexibility of the system or equipment development process with FPGA as the core should be fully considered, as well as the reliability with respect to random failures and the environmental withstand apply. This includes the faults due to single event upset (SEU) and neutron/alpha radiation when relevant.

References 1. IEC 60987-2007, Nuclear Power Plants - Instrumentation and Control Important to Safety Hardware Design Requirements for Digital Systems (2007) 2. IEC 62566 Nuclear Power Plants - Instrumentation and Control Important to Safety Development of HDL-Programmed Integrated Circuits for Systems Performing Category a functions 3. IEC 60880-2006 Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category a functions (2006) 4. IEC 62138–2004 Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer- based systems performing category B or C functions (2004) 5. IEEE 1012-2004 IEEE Standard for Software Verification and Validation (2004) 6. IAEA TRS 384-1999 Verification and Validation of Software Related to Nuclear Power Plant Instrumentation and Control (1999) 7. IEEE 1364-2005 IEEE Standard for Verilog Hardware Description Language (2005) 8. NUREG/CR-7006-2010 Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems (2010) 9. GB/T 33783-2017 Testing guideline for programmable logic device software (2017)

Research of Software V&V Technology in the Non-safety DCS of NPPs Sheng-Chao Wang(B) , Wang-Ping Ye, Jian-Zhong Tang, and Tao Bai State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China

Abstract. As the nerve center of nuclear power plant (NPP), distributed control system (DCS) has been widely used with perfect control function, flexible system configuration, safe and reliable operation state and strong applicability. The relevant modification or upgrade of DCS is the focus of NPP’s digital modification or upgrade. The reliability of the computerized system or equipment of DCS depends to a large extent on the reliability of the software, and systematic failure may be introduced in the development process of the software. Software verification and validation (V&V) technology is recognized as one of the key technologies in the field of nuclear power that can effectively ensure and improve the quality of software. Software V&V technology for safety DCS system has been widely studied and applied, but software V&V technology for non-safety DCS system has not attracted attention from all parties. Based on this, through studying NPP’s non-safety DCS software V&V related standards and technical reports, combining with the analysis of NPP’s operating experience in operating event reports, a V&V scheme based on system engineering method is proposed, and the activities and tasks of each phase of the scheme V&V process are preliminarily summarized, and the detailed guiding standards or technical reports that can be referred to when executing V&V tasks are expounded. At last, the research results are expected to provide technical reference for the modification or upgrade of non-safety DCS in software. Keywords: Modification or upgrade · Non-safety DCS · Software V&V

1 Introduction Many nuclear power plants (NPP) based on analog technology in the world are facing the challenge of digital modification or upgrade. In the past, the engineering process focusing on fluid and mechanical systems has proved insufficient to solve the problem of integrating new digital technology and software-based technology into existing NPP facilities. As the nerve center of NPP, distributed control system (DCS) has been widely used with perfect control function, flexible system configuration, safe and reliable operation state and strong applicability. The relevant modification or upgrade of DCS is the focus of NPP’s digital modification or upgrade. However, the reliability of the computerized system or equipment depends to a large extent on the reliability of the software, © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 444–451, 2021. https://doi.org/10.1007/978-981-16-3456-7_43

Research of Software V&V Technology in the Non-safety DCS of NPPs

445

and systematic failure may be introduced in the development process of the software. In the process of digital modification or upgrading of NPP DCS system, how to ensure the software reliability of computerized system or equipment is an urgent problem to be solved in the process of digital modification or upgrade. Software verification and validation (V&V) technology is recognized as one of the key technologies in the field of nuclear power that can effectively ensure and improve the quality of software. DCS system is divided into safety level (1E) and non-safety level (NC) according to different safety levels, and is functionally divided into safety function 1E, safety related function SR and non-Safety function NC. Safety function 1E and safety related function SR are implemented by nuclear safety level (1E) DCS system, while non-safety function NC is implemented by non-safety level (NC) DCS system. Software V&V technology for safety DCS system has been widely studied and applied, but software V&V technology for non-safety DCS system has not attracted attention from all parties. Based on the above contents, the research on relevant standards and technical reports of software V&V for non-safety DCS system in the process of digital modification or upgrade of NPP will be carried out. At the same time, the software V&V scheme and process of non-safety DCS system and key activities in the V&V process will be sorted out and formed in combination with the operating experience of non-safety DCS in NPP of China.

2 Requirements of Standards or Reports IEEE 1220 introduces the application and management of systems engineering process [1], in which systems engineering process spans multiple disciplinary fields, mainly to create an interdisciplinary process and implement it to ensure that requirements are met in a high-quality, reliable, low-cost and timeline manner throughout the system life cycle. The systems engineering process usually includes the following seven tasks: state the problem, investigate alternatives, model the system, integrate, launch the system, assess performance, and re-evaluate. It should be reminded that the systems engineering process is not a sequential seven tasks that can be executed in parallel and iteratively. IEEE 1012 is a general software V&V process standard which matches specific V&V activities and tasks according to software integrity level [2], and defines the attributes, inputs and outputs of tasks in each stage of V&V process. The V&V process provides objective evaluation of products and processes throughout the life cycle to prove whether the requirements are correct, complete, accurate, consistent and measurable, and to determine whether the development product of a given activity meets the requirements of the activity and whether the final product meets its intended use and user requirements. IAEA TRS 384 is a software V&V standard in NPP instrumentation and control (I&C) system [3]. It introduces the organization and management of the V&V process, safety classification and types of software including devices containing software and software tools, and different types of software related activities and documents, verification by phase and validation. EPRI TR 3002011816 is mainly aimed at the modification and upgrade of digital I&C systems or components of existing nuclear facilities [4]. These activities involve the whole life cycle of design, installation, testing and end-of-life. This guidance is also

446

S.-C. Wang et al.

fully applicable to new nuclear power development, including initial design, licensing, installation and start-up, and provides a graded approach with an appropriate amount of rigor, which results in reducing the likelihood and severity of consequential operating experience events. The process of this graded approach includes technology configurability, potential consequences of error, determining the configurability of the applied technology, determining the applicability of digital engineering systems (DEG) activities and determining the potential consequences of error. The EPRI TR 3002011816 provides a basic system engineering process, shown in Fig. 1, which is described in detail in EPRI TR 3002008018.

Fig. 1. The systems engineering process [4].

The system engineering process includes four activities, including requirements engineering, functional analysis & allocation, design synthesis and system analysis & control, which are applied on successive iterations of system decomposition, from the concept level, to the system level, then the subsystem/component level. Besides, EPRI TR 3002011816 also provides a series of activities in the system engineering process. EPRI TR 3002008018 introduces the methods and tools related systems engineering process for digital I&C projects [5]. The systems engineering methods mainly include requirements analysis, trade Studies, function analysis and allocation, design synthesis, hazard analysis, human factors engineering (HFE) analyses, system optimization,

Research of Software V&V Technology in the Non-safety DCS of NPPs

447

modeling and simulation and V&V. The V&V methods and activities are described in several guides and standards, and are most often applied in the context of software engineering and human factors engineering. EPRI guidance on software V&V is available via TR 103291 [6]. EPRI TR 3002008018 also illustrates the basic V&V activities used in the systems engineering process. In addition, systems engineering tools include static tools (e.g., physical, virtual models), dynamic tools (modeling & simulation), and administrative tools (e.g., requirements management).

3 Operating Experience An important activity of NPP’s non-safety DCS modification or upgrade is the problem statement. An important source of the problem is the operating events in in-service or new NPP under construction. Through the problem occurrence, cause analysis and solutions of operation events, the valuable operating experience formed is conducive to the digital modification or upgrade of the NPP non-safety DCS. Operating experience from 61 Operational Event Reports of 9 Nuclear Power Bases in China from February 2015 to January 2020, shows 39.32% of events are caused by software defect such as setting error of adjusting valve control mode in software, crossprocessor network communication problem, hold and reset problem of pulse controlcommand [7]. 19.70% of events are caused by human errors like interface installation error and 40.98% of events are due to hardware faults like hardware aging. The causes of operational events are shown in Fig. 2.

39.32%

19.70% 40.98%

Human error

12

Hardware fault

25

Software defect 24

Fig. 2. The causes of operational events.

According to the types of event causes counted in NPP’s operating event reports, the percentage of software defects is close to the percentage of hardware faults. Attention should be paid to software in the process of digital modification or upgrade. In addition, operating events caused by human errors cannot be ignored.

448

S.-C. Wang et al.

4 Software V&V Scheme 4.1 V&V Model According to the research of above standards, technical reports and operating experience, a V&V scheme for NPP’s non-safety DCS software is proposed, which includes V&V model and process, key activities and tasks (Fig. 3).

Fig. 3. The software V&V model [5].

Before adopting the model, it is necessary to measure the level of the engineering change in the model by using the A/B/C/D/E five-level differentiation scheme to determine the system or component of interest. Engineering changes can occur at multiple levels. To determine the level of change and the appropriate level of solution alternatives, the following issues or topics need to be considered: 1. Function, performance changes (e.g. supporting power increases) or new function (e.g. meeting new regulatory requirements) 2. Network Security Issues 3. Availability and quality of information on structures, systems, and components at the change level 4. New or emerging regulatory or design constraints 5. Change interfaces 6. Device difference 7. Data communication (network, fieldbus, media type, etc.) 4.2 V&V Activities and Tasks After determining the scope of the changed system or component, the V&V activities and tasks of each phase are determined according to the graded approach and the change

Research of Software V&V Technology in the Non-safety DCS of NPPs

449

level. According to the issues or topics to be considered in the main phases, inputs and outputs are adopted to match V&V activities and tasks. The V&V activities and tasks of main phases are shown in Table 1. Table 1. V&V activities and tasks. Phase

Activities

Tasks

Inputs

Outputs

Conceptual/ common design

Verify & validate or confirm V&V of the conceptual/common requirements, architecture, design and implementation

1. Traceability analysis 2. Criticality analysis 3. Identify improvement opportunities in the conduct of V&V 4. Management review of the V&V effort 5. SVVP generation

Report that provide the results and conclusions of V&V activities

Detailed design

Verify & validate or confirm V&V of the detailed requirements, architecture, design, and implementation

1. Traceability analysis 2. Criticality analysis 3. Identify improvement opportunities in the conduct of V&V 4. Integration V&V test procedure/plan/design/case generation 5. Management review of the V&V effort 6. Software requirements/design evaluation System V&V test case generation

1. Plans and/or procedures 2. V&V processes Methods 3. Scenarios and test cases 4. Success criteria and expected results 5. Tools 6. Roles and responsibilities 7. Actions to be taken when anomalies are discovered

Installation planning and test

Verify and validate or confirm V&V of the integrated installed system or component

1. Traceability analysis 2. Identify improvement opportunities in the conduct of V&V 3. Integration V&V test execution 4. Management review of the V&V effort 5. System V&V test execution

In addition, the closeout information of the closeout phase shall be documented under user specified procedures, and the operation and maintenance phase of the system or component lifecycle includes supporting system or component operations and maintenance activities, performing or confirming corrective actions, initiating engineering changes as needed, controlling bounded configuration changes via administrative procedure and performing or confirm disposal of system or component elements. The corresponding V&V tasks of operation and maintenance phase include criticality analysis, identifying improvement opportunities in the conduct of V&V, management review of the V&V effort, SVVP revision, and tasks iteration.

450

S.-C. Wang et al.

The purpose of the V&V process in the conceptual/generic design phase of the facility change project is to provide or determine objective evidence that the results of the conceptual/generic design phase activities are complete, correct and consistent. The V&V methods or tools of this phase include inspection, analysis (including modeling and simulation), demonstration, or test. Detailed requirements traceability analysis and verification process can be found respectively in EPRI 3002002843 section 4.8 and ISO/IEC/IEEE 15288 section 6.4.9 [8, 9]. During the detailed design phase of the facility change project, the purpose of the V&V process is to provide or determine objective evidence to prove that the detailed requirements, structure, design and implementation conform to the conceptual/generic requirements, architecture and design. The V&V methods or tools of this phase include inspection, analysis (including modeling and simulation), demonstration, or test. Detailed requirements traceability analysis and design review can be found respectively in EPRI 3002002843 section 4.8 and 5.2 [8], verification process and validation process can be found respectively in ISO/IEC/IEEE 15288 section 6.4.9 and 6.4.11 [9]. The purpose of the V&V process in the installation planning and test phase of the facility change project is to provide or identify objective evidence that the integrated system or component has correctly realized its detailed requirements, architecture and design, and that the installed and debugged system or component has correctly realized its detailed requirements, architecture and design throughout NPP. Detailed requirements traceability analysis and design review can be found respectively in EPRI 3002002843 section 4.8 and 5.2 [8], verification process and validation process can be found respectively in ISO/IEC/IEEE 15288 section 6.4.9 and 6.4.11 [9].

5 Conclusions Based on the research of NPP’s non-safety DCS software V&V related standards and technical reports, combined with the analysis of NPP’s operating experience in operating event reports, a V&V scheme based on system engineering method is proposed, and the activities and tasks of each phase of the scheme V&V process are preliminarily summarized, and the detailed guiding standards or technical reports that can be referred to when executing V&V tasks are expounded. Through the research on software V&V technology of non-safety DCS in NPP, it can provide technical reference for NPP V&V in the process of modification or upgrade of non-safety DCS in software, and effectively ensure the software quality in the process of digital modification or upgrade of non-safety DCS.

References 1. IEEE 1220-2005 IEEE Standard for Application and Management of the Systems Engineering Process 2. IEEE 1012-2004 IEEE Standard for Software Verification and Validation 3. IAEA TRS 384-1999 Verification and Validation of Software Related to Nuclear Power Plant Instrumentation and Control

Research of Software V&V Technology in the Non-safety DCS of NPPs

451

4. EPRI TR 3002011816-2018 Digital Engineering Guide: Decision Making Using Systems Engineering 5. EPRI TR 3002008018-2016 Systems Engineering Process: Methods and Tools for Digital Instrumentation and Control Projects 6. EPRI TR 103291-1998 Handbook for Verification and Validation of Digital Systems 7. Zhong, L., Ming-Liang, S., Jia-Jie, W.: Analysis of typical problems of DCS non-safety class software. Nucl. Power Eng. 38(3) (2017) 8. EPRI 3002002843-2014 Requirements Engineering for Digital Instrumentation and Control Systems 9. ISO/IEC/IEEE 15288-2015 Systems and Software Engineering - System Life Cycle Processes

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet with Light-Weight and Impact Resistance Jun-An Dai, Ming-Xing Liu(B) , Xiao Wu, Zhi Chen, Dong-Wei Wang, Fa-Qiang Li, and Chang-Wen Yao Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China [email protected]

Abstract. Safety digital control system (DCS) cabinet, as a carrier for the electronic devices, plays a significant role in ensuring the normal operation of the nuclear power plant. In this work, a design idea of impact resistant cabinet frame with high strength and low quality has been proposed. It adopts the design ideas such as flat frame section design, distributed multi-column layout, integrated structural and functional design and preservation of a certain safety margin, which can be used to guide the design of cabinet with high stiffness and strength, small column size and low weight. In addition, finite element analysis and impact response analysis of the designed cabinet are carried out by using ABAQUS-DDAM method. Results show that the designed cabinet is characterized by high stiffness, high strength and low weight, and the cabinet possesses good ability in resisting high level of impact. The design ideas proposed in this research can provide reference for the design of structural parts of other anti-shock electronic equipment. Keywords: Impact resistance · Cabinet · Structure design · Finite element analysis · DDAM

1 Introduction With the development of the floating nuclear reactor technology, the safety digital control system (DCS) is imperative in the floating nuclear reactor. At present, ocean going vessels are commonly made of alloy steel, which possesses strong ability in resisting high level impact underwater. However, the electronic devices will be damaged in the case of excessive acceleration, which will consequently affect the normal operation of the safety level DCS system of the whole floating nuclear reactor [1]. Therefore, verify the impact performance of the electronic devices in the design stage to ensure their impact resistance is of great significance for ensuring the overall reliability of the floating nuclear reactor [1]. The cabinet is used to accommodate all kinds of electrical and electronic devices (such as cases, components and cables, etc.), which plays an important role in protecting the safety of electronic devices. Nowadays, aluminum alloy casting cabinets have been © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 452–462, 2021. https://doi.org/10.1007/978-981-16-3456-7_44

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet

453

widely used in the control system of ship environment [2–4]. However, the cast aluminum cabinet has the disadvantage in high processing cost, poor material ductility and large quality, which makes it is difficult to be moved. Additionally, the plastic deformation of the aluminum cabinet can be easily occurred in the case of high impact, which has detrimental effect on carrying and protecting electronic devices. Up to now, the sheet metal cabinet has been widely used in various fields because of its good bending and torsion resistance, good ductility and low machining cost. Therefore, design a new type of marine steel cabinet of the safety digital control system (DCS) with enough impact resistance is necessary. In this work, a design idea of a high strength, low quality and impact resistance sheet metal cabinet frame is proposed, and a multi column vessel cabinet framework with a sheet metal plus square structure is designed. Considering that the devices inside the cabinet is characterized by high layout density, the corresponding cable types and quantities are very complicated. Thus, the design process should satisfy the installation of all kinds of devices as well as ensure good operation and maintenance. After finishing the structure design process, the finite element software ABAQUS is used to calculate the impact responses of the cabinet from different directions by using DDAM, to validate the ability of the cabinet in resisting impact. The design ideas and numerical simulation analysis methods proposed in this study will provide references for the structural design of other anti-vibration electronic devices.

2 Frame Design of Cabinet 2.1 Structural Design Schemes of the Cabinet In order to achieve a light-weight and maneuverability of DCS system cabinet in the floating nuclear safety reactor, the following structural design schemes are proposed: (1) Flat frame section design Minimize the size of each section of the cabinet frame to reduce the volume, especially the area of the front and rear doors of the cabinet. The column is flattened to reduce the projection area on the surface. (2) Distributed multi column layout In order to obtain the suitable structure stiffness caused by the reduction of the frame size, the traditional four centralized layout of the large-sized columns is modified to multi small size columns with dispersed layout, which ensures the same structural mechanical properties. Additionally, the new columns should be located in the poor internal location of the cabinet, which has little effect on the operation and maintainability of the cabinet. (3) Integrated design of structure and function The cabinet is highly integrated with the internal and external installation interface and frame structure, which is used to reduce the space occupancy and quality. (4) Reduce unnecessary quality For components with low functional, only a lower material distribution is needed, such as avoiding the bending structure of non-load bearing structure, such as cabinet surface

454

J.-A. Dai et al.

coverings, bearing structure (column) and so on. At the same time, remove the materials with smaller load in the frame as far as possible, thus the higher structural efficiency is achieved. (5) Maintain a certain margin of safety For the position with larger load in the frame, to avoid the occurrence of failure and consequently structure deformation. Sufficient material allowance should be retained at these locations, collaborative deformation and redundant connections are used to control the overall failure of the whole structure. 2.2 Result of Cabinet Frame Structure According to the above design idea, the cabinet frame of the safety DCS is shown in Fig. 1. Based on the design requirements, the frame size is of 600 mm × 800 mm × 1800 mm (wide * Deep * high). The quality of the cabinet frame is less than 100 kg, and the main material is 304 stainless steel. The frame structure of the cabinet is composed of six columns, a top frame and a bottom frame, of which the columns are welded by sheet metal. The bottom frame and the top frame are welded by a small rectangular tube, the bottom area, side door and top area are covered by a steel skin, where the bottom board is provided with a thick plate with 10 mm because of the existence of mounting interface. On the contrary, considering that the top and side door areas are only used to protect devices, thus thin steel plates are used to cover these areas. All structures are assembled by welding, and a plurality of redundant surfacing combinations are used to ensure the connection strength of the column. Other sheet metal panels are welded by multiple plugs to control welding deformation.

Fig. 1. Diagram of the frame structure

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet

455

The columns are all flattened to narrow the width in the plane, which is perpendicular to the Y direction (side door operation), to increase the corresponding depth, arrange the inner column in the middle of the front and rear columns. The Y can be used to ensure the inertia moment of the columns depending on the section size of the column and the cumulative number of X to the column. So that the frame has higher rigidity; Then the reinforcing beams between the inner column and the front and rear columns form an integrated sidewall structure, as shown in Fig. 2(a).The main equipment of the cabinet is mainly standard 19 inch equipment, so the standard installation holes of the angle gauge are integrated on the bent sheet metal of the inner column and the front column, as shown in Fig. 2(b), and the strengthening beam is also integrated with the expansion installation interface. The installation interface of the shock absorber on the bottom board can be fitted with 4 pairs of wire rope shock absorbers, the top is designed with L type adapter plate, and 2 pairs of wire rope shock absorbers are installed, as shown in Fig. 3.

a. frame profile

b. Schematic diagram of column structure

Fig. 2. Schematic diagram of frame section structure

Fig. 3. Schematic diagram of cabinet installation interface

456

J.-A. Dai et al.

3 Finite Element Simulation Analysis 3.1 Establishment of Finite Element Model In order to ensure that the cabinet have enough ability in resisting impact, finite element analysis is performed in this section. The cabinet structure is established in ABAQUS, which is composed of a bottom board, a bottom frame, a front and rear column, an inner column, a crossbeam, a chassis, a chassis bracket and a top cover. Some special quality points are defined on the chassis bracket to simulate the weight of the devices, such as the functional chassis, power box, various modules and cables. The parts of the model are meshed by hexahedral elements (C3D8) and tetrahedron elements (C3D4). The material parameters and grid characteristics of the components are shown in Table 1. It is worth noting that four pairs of GSG spring dampers are installed at the bottom, and two pairs of GSG springs are installed on the top of the cabinet, which is used to weaken the impact energy. To simulate the spring connection in the numerical model, a script file are written by using Python language and run in ABAQUS to obtain same node coordinates in the upper and lower two sections of the spring area, then spring elements are introduced at two contact surfaces with the same node coordinates with certain impact stiffness. Similarly, the above method achieves the same node coordinates on the top of the cabinet and the side of the impact platform, and establishes corresponding spring connection units. The flow chart of the Python statement is shown in Fig. 4. The established finite element model of the cabinet system is shown in Fig. 5(a). The corresponding boundary conditions of the cabinet are shown in Fig. 5(b), in which the freedoms of the spring base in all directions are constrained. In order to simulate the weight of the chassis, this study implements the reference point RP between the chassis bracket, structure coupling is defined between RP and the bracket surface. Set RP with a certain quality as shown in Fig. 5(b) [5]. 3.2 Computational Conditions for Impact Design The ability of the cabinets in resisting impact is referred to GJB1060.1-1991 [6]. According to the requirements of DDAM analysis, the analysis conditions of impact design are defined as: surface warship device, impact resistance devices of grade A, the installation location of the equipment is at the ship body part. No plastic deformation is allowed and elastic analysis is used. The steps of DDAM analysis in ABAQUS are as follows: (1) Calculate the natural frequency of the system. Extract the self-vibration mode, modal mass and modal participation factor of the cabinet, and accordingly calculate the frequency and acceleration of the impact spectrum. (2) Use the structural modal parameters extracted from the previous step, referring to the impact spectrum of GJB1060.1-1991 computer in different directions, loading the frequency domain acceleration curve, extracting the maximum Von Mises stress that may occur under the impact state, and comparing with the yield strength of the structure, verify the impact resistance of the structure.

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet

457

Table 1. Part material type and mesh features

Part name

Component

Grid

Material

Grid

Number of

model

type

type

element

grids

C3D8

9348

C3D8

1758

C3D8

1691

C3D8

7420

C3D8

8904

C3D8

1888

C3D8

8548

C3D4

11203

304 Bottom frame

shell

stainless steel 304

Front column

shell

stainless steel

Intermediate

shell

pillar

304 stainless steel 304

Rear column

shell

stainless steel 304

Square hole

shell

strip

stainless steel 304

beam

shell

stainless steel 304

Cover

shell

stainless steel 304

L angle steel

entity

stainless steel

Based on the installation area of warship’s instrument and control equipment, the calculation formula of shock spectrum is designed. A0 = 196.2

(17.01 + ma )(5.44 + ma ) (2.72 + ma )2

(1)

5.44 + ma 2.72 + ma

(2)

V0 = 1.52

Type: ma is the mode mass of the device, and the unit is t; A0 and V 0 denotes the reference acceleration and reference speed, respectively. According to the different impact

458

J.-A. Dai et al.

Fig. 4. Python code of node-to-node spring connection of the vibration absorber

a. Finite element model

b. Boundary condition of model

Fig. 5. Finite element model of the cabinet frame and its boundary conditions

directions of the cabinet, different impact acceleration is designed. The acceleration design is shown in Table 2. A0 and V 0 are determined by Eqs. (1–2). Taking the smaller value between the V 0 ω0 and A0 as the impact acceleration of the system at the given direction. ω0 is the circular frequency of the vibration mode corresponding to the mode mass ma .

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet

459

Table 2. Design impact acceleration spectrum of instrument control cabinet equipment Installation of equipment parts Hull position

Direction of impact

Elastic design acceleration Aa

Va

Vertical direction

1.0A0

1.0V 0

transverse

0.4A0

0.4V 0

portrait

0.2A0

0.2V 0

3.3 Design Shock Spectrum Calculation The mode mass distribution of the cabinet system (with shock absorber and counterweight) in three directions are shown in Fig. 6. It can be seen that the effective mode mass is mainly distributed in the first ten models in three directions. In the X direction, the first, fourth and fifth order modes are the dominant modes in this direction, and the sum of the modal mass of three orders is 0.5045 t, which accounts for 97.78% of the total mass (0.516 t). Therefore, the effective mode masses of the three order modes have an important effect on the impact response of the system in this direction. While in the Y direction, the effective modal mass mainly concentrates on the third mode, and the modal mass (0.50145 t) is equal to 97.18% of the total mass. The modal distribution of the second and sixth modes in the Z direction has a larger effective mass and calculated by 97.2%. The effective modal mass of the three directions is shown in Table 3. It can be seen that the total modal mass in all directions satisfies the total quality requirement of 80% [7]. 3.4 DDAM Impact Response Analysis The response results of the cabinet system in transverse, vertical and longitudinal directions are obtained, and the overall stress and displacement cloud diagram of the cabinet system in three directions are illustrated. In the transverse direction (X direction), the maximum stress of the system is concentrated at the connection position between the front side column and the bottom frame, the corresponding value is 195.52 MPa, which is less than the yield limit of 304 stainless steel (205 MPa). Therefore, the cabinet possesses good ability in resisting shock from the transverse direction. It can be seen from the deformation cloud chart that the largest deformation area of the cabinet system appears in the left front column and roof connections, which is about 3.5 cm. The result is reasonable, since the bottom and rear parts of the cabinet are mounted with spring elements, while the front area is unrestrained, thus the largest deformation area may occur [8]. For the impact from the vertical direction (Y direction), the maximum Von Mises stress is mainly concentrated in the angle steel and the roof connection area. The corresponding stress value is larger than 115.3 MPa, which is far less than the yield limit of the 304 stainless steel material. This is because that when the cabinet is subjected to vertical impact, the whole body moves upward along the Y axis and the two spring damper on the back of the cabinet tightens the angle steel. Thus, the angle steel acts

460

J.-A. Dai et al.

a. Distribution of effective mode mass in X direction

b. Distribution of effective mode mass in Y direction

c. Distribution of effective mode mass in Z direction Fig. 6. Model mass distribution of cabinet Table 3. Main modal parameters and design acceleration in three directions Direction

Modality order

Frequency (Hz)

Effective quality (t)

Total effective quality (t)

Proportion

Acceleration

X

1

10.374

0.30681

0.50455

97.78%

4

14.075

0.17185

104.344

5

20.366

0.02589

154.886

Y

3

13.039

0.50145

0.50145

97.18%

91.866

Z

2

13.617

0.46698

0.50148

97.2%

43.072

6

20.871

0.0345

75.247

79.227

Structural Design and Dynamic Analysis of Nuclear Safety DCS Cabinet

461

on a certain tensile force of the roof and forms a stress concentration at the right-angle joint. Additionally, the displacement cloud chart shows that the maximum displacement occurs at the chassis bracket. This is caused by the thin plate structure of the chassis bracket, in which the tray position is not restrained. Visibly, the maximum deformation value is 1.35 cm and the deformation are relatively small, indicating that the designed cabinet can meet the requirements of vertical impact resistance. When the longitudinal impact is input (Z direction), the maximum Von Mises stress of the cabinet system is only 87.2 MPa, which is far less than the yield limit of the material. The maximum deformation area appears at the top of the angle steel and the deformation amplitude is low. Therefore, the cabinet system can meet the requirements of longitudinal impact resistance. Based on the above analysis, the cabinet designed by this research can meet the requirements of anti-shock under the DDAM empirical algorithm (Figs. 7, 8 and 9).

a.Impact stressfrom X direction

b.Impact displacement deformation from X direction

Fig. 7. Results of the cabinet under the shock from X direction

a.Impact stressfrom Y direction

b.Impact displacement deformation from Y direction

Fig. 8. Results of the cabinet under the shock from Y direction

462

J.-A. Dai et al.

a.Impact stressfrom Z direction

b.Impact displacement deformation from Z direction

Fig. 9. Results of the cabinet under the shock from Z direction

4 Conclusion Based on the research and development background of the floating nuclear reactor instrumentation and control products, this work discusses the design idea and analysis method of an anti-shock cabinet framework, based on the design concept of flat frame section, distributed multi column layout, integrated structural function design, reducing unnecessary quality and retaining certain safety margin. A flattened multi column welded structure is designed, which has the characteristics of high stiffness, small section size and light weight. Additionally, DDAM is used to carry out the mechanical simulation of the frame, and the stress assessment is carried out according to the relevant requirements of GJB1060.1. It meets the requirements of lightweight and impact resistance of sheet metal cabinets. This design idea can provide reference for the design of other anti-vibration electronic devices.

References 1. Wang, Y., Hong-Xing, H.: Modern Impact Theory and Application of Warships . Science Press, Beijing (2005) 2. Wen-Jun, S.: Rigidity and strength design of naval cast aluminum closed cabinet. Electr. Mech. Eng. 18(2), 17–21 (2002) 3. Gao-Wen, H., Wen Jun, S.: Optimal design of shipcabinets against impact. Electr. Mech. Eng. 26(1), 10–14 (2010) 4. Lei, Z., Xi-Fang, Z.: Optimization analysis of Shipborne cast aluminum closed cabinet. Electr. Mech. Eng. 26(4), 35–37 (2010) 5. Dong-Wei, W., et al.: Transient impact dynamics of electronic cabinet. J. Shanghai Jiao Tong Univ. 53(Sup.1), 109–117 (2019) 6. Naval Equipment Demonstration Research Center Standard Specification Research Room: Naval Environment Conditions Require Mechanical Environment: gjb1060, pp. 1–91. National Defense Science and Technology Work Committee, Beijing (1991) 7. Leader, L., et al.: Comparative study on impact assessment between DDAM and SRS on warship deck equipment. Naval Sci. Technol. 33(10), 54–57 (2011) 8. Navy Standard Code laboratory: Military Equipment Environmental Test and Method Impact Test: GJB150, pp. 1–86. National Defense Science and Technology Work Committee, Beijing (1986)

Research and Application of the Verification and Validation Method Based on Embedded Technology in Nuclear Power Plants Chao Zhang(B) , Wang-Ping Ye, Sheng-Chao Wang, and Ji Shi State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China

Abstract. This paper introduces a new method of research and application of software V&V based on embedded technology in Nuclear Power Plants. Based on software abstract test, the relationship between defect trend and cost is analyzed. Mind map test analysis is carried out, and the V&V levels are carefully defined and divided. System tests based on model are carried out. Specification-based tests and code-based unit-level tests are organically combined. Finally, this paper summarizes the V&V scheme. This V&V method based on embedded technology has been unanimously approved by experts and has a widely application prospect. Keywords: Embedded technology · V&V · Nuclear power plant · Mind map

1 Introduction With the continuous development and application of the three generations of nuclear power technology, embedded system architecture, as the computerized system of microprocessor technology, is frequently applied in security important systems. In order to ensure the security and reliability objectives, embedded software testing plays an important role. In order to discover software defects, repair software defects and software quality ultimately improve. The failure of embedded system security may lead to disastrous consequences. Especially, the failure of security will lead to significant risks and economic losses in nuclear safety-related systems. Embedded software V&V requires higher reliability than ordinary software. This requires strictly testing, verification and validation of embedded software to improve the reliability of products. When embedded systems/equipment are used to implement safety function, they need to meet the regulatory requirements of the regulatory authority, as well as the appraisal requirements of the owners and purchasers. Some traditional testing methods couldn’t satisfy the rapid development of software testing industry. New testing methods are proposed to make up for the deficiencies of the existing software testing, such as “embedded testing design based on business scenarios”, “embedded testing design based on risks”, “embedded testing design based on task-driven” and “embedded testing design based on exploration”. Due to the increasing © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 463–469, 2021. https://doi.org/10.1007/978-981-16-3456-7_45

464

C. Zhang et al.

complexity and functions of the software, manual testing couldn’t meet the fast iteration. In order to solve this problem, automated tools need to be used instead of complex testing processes. In terms of hardware qualification, there is a full set of mature qualification methods to ensure its reliability, such as seismic qualification and electromagnetic compatibility qualification [6]. The main contents of this research include the relevant laws and standards of embedded software V&V for important nuclear safety systems. This paper establishes an embedded software V&V technical scheme and method suitable for safety important systems in NPP. The application effect of the scheme and method tests in project practice. This paper summarizes the technical key points in the embedded software V&V process of safety important systems in NPP.

2 Research on Standards The premise of embedded software V&V is meeting the regulations and standards. Different software testing stages require different regulations and standards for embedded software V&V activities and tasks. The standard conformity analysis is carried out in combination with the work of each stage. The International Atomic Energy Agency (IAEA) and the International Electronic Technical Commission (IEC) promulgate the nuclear power plant Software V&V standards and regulations. IEC 61508-3 defines the functional safety of electronic/electronic/programmable electronic safety-related systems [1]. It specifies the independence of software development, and performs appropriate common cause failure analysis. When credible failure mechanisms are identified, effective defense measures should be taken. The correctness of embedded software is ensured from five dimensions: Safety Function, system configuration, Hardware security integrity requirements, Software system capability requirements, capacity and response time. IEC 62138 specifies the requirements for nuclear power plants instrumentation and control important for safety Software aspects for computer-based systems performing category B and C functions. It is applicable to each stage of the nuclear power plant life cycle of software computer-based systems [2]. IEEE 1012 defines the V&V process in terms of specific activities and related tasks, and also defines the V&V plan [3]. Software V&V runs through the whole life cycle of the product process, such as evaluation, analysis, evaluation, review, review and testing. V&V process includes verification process and validation process.

3 V&V Scheme The V&V scheme decomposes and concretizes the test contents. The test is more and more feasible and intuitive, and the test process is easier to understand. The test scheme plays a very good guiding and leading role in the compilation of test cases, the construction of test environment and the implementation and execution of tests. Software test is an important research field in software project. It is also one of the purposes of verification and validation software tests, which is to find defects as much as possible. From another perspective, software test would help people to have a deeper

Research and Application of the Verification and Validation Method

465

understanding of the differences between software actual behavior and expected behavior. In order to fully carry out the software test, it is required to make a complete analysis of software input/output space. Software test abstraction is shown in Fig. 1. Its basic composition includes software S, test specification R and software input/output space. Software expected output behavior could be obtained according to the test specification R, while software real output behavior could only be obtained according to the actual operation of software.

Fig. 1. Software test abstraction

On the foundation of research and standard research, the V&V team has formed the embedded software V&V general scheme shown in Fig. 2. “Development and Application of Computer Software Based on Embedded Technology Safety Analysis in Nuclear Power Plants” divides the qualification activities of safety analysis software into phases including concept V&V, requirement V&V, design V&V, implement V&V and test V&V

Fig. 2. General scheme of embedded technology V&V in nuclear power plant

466

C. Zhang et al.

[7, 8]. This scheme covers all test requirements. It is testable and executed. It has been reviewed and approved by relevant project testers, research and development personnel, product managers and experts. This scheme could provide reference for the design of research and development products. It could improve the understanding of the requirements of the project team members and at the same time strengthen the recognition of the testing work. In the end, it enhances trust in test quality and results.

4 V&V Strategy The V&V strategy includes both tested and untested features. According to the test item description, the tester determines the specific test focus and strategy, as shown in Table 1. It includes the product functions of the test, the key points of the test and the corresponding test technologies and methods. In the end, it provides evidence for writing test cases. Table 1. Functional tests Serial number

Product function description

Test focus

Testing techniques and methods

Comments

1

……

……

……

\

2

……

……

……

\

According to the test plan, the test function items are divided. The test points are extracted from the test items, including the function points, performance, safety, stability, compatibility, ease of use, etc. The second and third levels of test analysis using mind

Fig. 3. Mind map test analysis

Research and Application of the Verification and Validation Method

467

maps can correspond to the description of test items in the scheme. Since the mind map is produced earlier than the test plan, the tester would well determine the test range and function items according to the mind map. The analysis of mind map test is shown in Fig. 3.

5 V&V Activities and Tasks According to the requirements of performing Class B functions, the scheme matches IEEE 1012 activities and tasks. It summarizes the specific tasks and common tasks of the five major stages in Table 2. The V&V work plan report should be compiled and published at the beginning of the V&V project, and the V&V work summary report should be summarized and published after the V&V work is completed. Table 2. V&V tasks to be carried out in each stage of V&V activities

6 V&V Technology and Method The V&V technology and method includes the integrated application of dynamic/static test methods and review/analysis/test technology of embedded V&V method in nuclear power plant, including: Document Review, Code Review, Traceability Analysis, FMEA, Code Static Analysis„ Black box testing, White box testing, etc. The comprehensive application of dynamic/static testing methods combined with review/analysis/testing technologies, better meets the requirements of depth and breadth of activities and tasks of embedded V&V of security important system in nuclear power plant [4]. At the same time, it meets the principle requirements of diversified technical means in important fields of nuclear power safety [5].

468

C. Zhang et al.

Design check and traceability analysis realize 100% quality measurement of positive and negative traceability of embedded technology V&V requirements. An important task in the process of software testing is defect analysis, which can obtain the function module of defect aggregation, the distribution of defects with higher serious grades, the discovery trend and phase distribution of defects. Through defect analysis, the relationship between bug discovery trend and test cost could be clearly observed, as shown in Fig. 4. There are 4 commonly used defect parameters: 1) Status: the current status of the defect. 2) Priority: the relative importance of defects that must be addressed and resolved. 3) Severity: the degree to which the defect affects the end user, organization or third party. 4) Origin: the original fault and its location that caused the defect, or the component that needs to be repaired to eliminate the defect.

Fig. 4. Relationship between defect trend and cost

7 Application Effect Software Contribution to Product Quality Improvement: A total of 88 problems have been found in the cold water refrigeration unit software V&V project based on embedded technology. Typical problems include: 1) Software requirements would not reflect the requirements related to “parameter setting” user rights. 2) It fails to clearly reflect the interface relationship between function module. 3) The detailed implementation requirements for online upgrade are not reflected. 4) The response time exceeds the limit.

Research and Application of the Verification and Validation Method

469

Recognition by Experts in Nuclear Power Field: The cold water refrigeration unit software V&V project based on embedded technology is standardized, rigorous. It meets the requirements of independence, and conforms to the provisions of relevant laws and standards. Software V&V work effectively ensures the software quality of embedded technology products in the end, it meets the requirements of national regulatory authorities, and has good application and promotion value.

8 Conclusion Through engineering practice, a new V&V method based on embedded technology is proposed in five dimensions: standard research, V&V scheme, V&V strategy, V&V activities and tasks, and V&V technologies and methods. Based on software abstract test, the relationship between defect trend and cost is analyzed. Specification-based tests and code-based unit-level tests are organically combined. Finally, it meets the requirements of national regulatory authorities, and has good application and promotion value.

References 1. IEC 61508-3: Functional safety of electronic/electronic/programmable electronic safetyrelated systems-Part 3: Software requirements (2010) 2. IEC 62138: Nuclear power plants-Instrumentation and control systems important to safetySoftware aspects for computer-based systems performing category B or C functions (2004) 3. IEEE 1012: IEEE Standard for Software Verification and Validation (2004) 4. HAD 102/16: Systems Important to Safety Based on Computer of Nuclear Power Plants (2004) 5. HAF102: Regulation for Nuclear Power Plant Design Safety (2004) 6. Zhao, J., He, Y.-N., Gu, P.-F., Chen, W.-H., Gao, F.: Reliability of digital reactor protection system based on extenics. Springerplus 5(1), 1–9 (2016). https://doi.org/10.1186/s40064-0163618-y 7. Liang, H.H., Gu, P.F., Tang, J.Z., et al.: A study of implementation V&V activities for safety software in the nuclear power plant. In: Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems (2017) 8. Gu, P.F., Liu, Z.M., Liang, H.H., et al.: Evaluation measures about software V&V of the safety digital I&C system in nuclear power plant. In: Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems (2018)

Research and Application of Time-PSF Calculation Method for HRA in Nuclear Power Plant Qian Wu(B) , Yi-Ming Liu, and Rui-Ping Zhang Department of Electrical and I &C, Hualong Pressurized Water Reactor, Technology Corporation Ltd., Beijing 100036, China [email protected]

Abstract. This paper studies the quantitative method of Time-PSF in HRA of nuclear power plant, and determines the precondition of quantitative calculation, and combs the quantification process, also introduces the key steps of quantification process in detail. Taking the “Medium Break LOCA (superimposed cooling failure)” event as an example, the processing flow based on SOP (state oriented operation procedures) and SEOP (symptom oriented operation procedures) emergency response procedures is analyzed respectively, and the time required is quantified by the method introduced in this paper. The method proposed in this paper solidifies the process, and ensures that the analysis has reasonable preconditions, and solves the problem of difficulty in obtaining basic data and difficult to quantify, this method makes the Time-PSF assessment more accurate and reliable on the basis of quantitative calculation, and then improves the accuracy of evaluating the probability of human error (HEP) in the digital main control room, so as to provide reference for HRA staff. In addition, through the implementation of the calculation method, it is helpful to obtain relevant actions with high probability of human error, and further optimize the function allocation and system design. Keywords: Time-PSF · HRA · SOP · SEOP

1 Introduction In recent years, more and more people’s behaviors and activities are considered in the safety evaluation of large-scale complex industrial systems. Human reliability analysis (HRA) (important personnel action analysis) is an important element in human factors engineering. HRA is a method or system process to analyze and evaluate human reliability. The purpose of human reliability research is to analyze, and predict, also improve human contribution to system reliability, reduce and prevent human error, Also the purpose is to ensure the safety and reliability of system operation [1]. In probabilistic safety analysis (PSA), HRA is an essential part. The International Atomic Energy Agency (IAEA) points out that HRA quality is one of the important indicators to measure the quality of PSA report [2, 3]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 470–482, 2021. https://doi.org/10.1007/978-981-16-3456-7_46

Research and Application of Time-PSF Calculation Method

471

HRA is used for qualitative and quantitative analysis of human reliability. HRA has been studied and applied for more than 50 years. The commonly used HRA methods include Swain’s human error rate prediction (THERP), human cognitive reliability and operator reliability experiment (HCR and ORE), Reason based decision tree model (CBDTM) and Standardized Plant Analysis Risk Human Reliability Analysis (SPAR-H) [4–6]. SPAR-H method divides human action into two parts: diagnosis part and operation part. According to their own knowledge and experience, diagnosis part understands current conditions, plan and optimize behaviors, and determine reasonable actions. Operation execution part includes operation equipment, equipment layout, pump start-up, setting value, test and other actions according to the procedures or orders of nuclear power plant. SPAR-H method considers the influence of eight PSFs on human behavior and reflects them in the process of quantification. The eight PSFs (Performance Shaping Factor) factors are: time, pressure, complexity, training and experience, procedures, ergonomics and human-system interface, responsibility suitability, process [7]. In the quantitative calculation, it will be divided into diagnosis human error analysis and operation human error analysis, which mainly includes three steps: 1. The human error probability of diagnosis and operation can be quantified by determining 8 PSFs factors; 2. The distribution calculation of uncertainty; 3. Correlation processing. The biggest difficulty is to obtain the basic data, especially the time evaluation, when determining the 8 PSF values. To evaluate the time value of diagnosis and operation, the premise is to obtain two kinds of basic data: available time and required time; the former is obtained through thermal engineering calculation, while the latter is realized by interviewing the operation professionals. Subjectivity has certain influence on quantitative calculation. The method proposed in this paper solidifies the process, gives the required time according to the interviewing with operators (or simulator tracking), and analyzes the rationality of the result, so as to ensure the rationality of the analysis scenario, plant, procedures, operation experience, etc., and solve the problem of difficult to obtain basic data and difficult to quantify, so as to make the Time-PSF assessment more accurate and reliable on the basis of quantitative calculation, thus improving accuracy of evaluating the probability of human error (HEP) in digital main control room. In order to provide reference for HRA staff, in addition, through the implementation of the calculation method, it is helpful to obtain relevant actions with high probability of human error, and further optimize the function allocation and system design. In addition, through the implementation of the calculation method, it is helpful to obtain relevant actions with high probability of human error, and further optimize the function allocation and system design.

2 Research of Time-PSF Calculation Method for HRA 2.1 General Introduction of the Method SPAR-H method divides human action into two parts: diagnosis part and operation part. In the process of quantitative calculation, it is necessary to determine the human error probability of diagnosis and operation by determining eight PSF factors. Among

472

Q. Wu et al.

them, time evaluation needs to be evaluated after quantitative calculation. The following difficulties need to be solved in the process: a) The basic human error data include the human errors of diagnosis and operation, which are not fully studied in current research; b) To evaluate the time value of diagnosis and operation, the premise is to obtain both the available time and the required time; the former is obtained through thermal engineering calculation, and the latter is achieved by interviewing the operation professionals, so subjectivity has a certain impact on the quantitative calculation; c) The main human behaviors of nuclear power plant operation safety are concentrated in the main control room (MCR). In the accident scenario, the MCR operator has the decision-making power to deal with the power plant accident. At present, the accident procedures used by operators are mainly “symptom oriented emergency operation procedures” and “oriented emergency operation procedures”. Different procedure systems and staffing lead to different basic data required for operator diagnosis and operation time evaluation; d) In specific analysis, the time for personnel to complete an operation may be different, which has a certain impact on the quantitative results. In personnel reliability analysis, the PSF and its level involved in HFE are determined through scenario analysis and task analysis. This paper proposes a method for obtaining basic data of diagnosis and operation when the Time-PSF is taken, and then solves the problem of operator diagnosis and operation time difficult to quantify accurately in the SPAR-H method. Premise of Quantitative Calculation. The basic assumption of personnel error analysis is: personnel response is carried out according to operation specifications and procedures, and the main control room is a digital main control room based on digital control system (DCS), and the procedures can adopt SOP and SEOP, and the management and operation documents shall meet the following requirements: a) All quality related or the safety related operation must be carried out according to the approved detailed written procedures; b) The documents are compiled in accordance with the guidelines HAF 0405 “Quality Assurance In The Commissioning And Operation Of Nuclear Power Plants” issued by NNSA, and the procedures are prepared according to the general principles of quality assurance of nuclear power plants and the actual operation experience; c) The operation procedures that during the normal operation of the power plant and after an event or accident, the system or equipment shall be prepared. All procedures shall be developed and approved before they are used to carry out the specified safety activities.

Research and Application of Time-PSF Calculation Method

473

Time-PSF Quantitative Process. To quantify the Time-PSF of SPAR-H method, first of all, it is necessary to determine the human error event information to ensure that the operator can obtain uniform input information; different accident response strategies may lead to different time required, which also needs to be taken into account; on this basis, the time required is calculated and the assessment is completed according to the standards. The process is shown in the following Fig. 1.

Human error information Accident response process Calculation Time-PSF assessment Fig. 1. Time-PSF quantitative process

2.2 Key Steps of the Method Take the “MBLOCA Superimposed Cooling Failure” event as an example, this section introduce the key steps. Human Error Information. The upstream information includes: human error event description, time window, key signal, event tree, accident process, etc. Accident Response Procedures. The scenario and background are the basic conditions for quantifying PSF. The accident response procedures, personnel allocation, training, etc. of the unit are determined in the scenario selection module. This paper only focuses on the time PSF related scenarios. At present, the mainstream accident response procedures are SOP, SEOP and EOP (event oriented operation procedures), which will not be discussed any more. Due to the different design methods of the above accident response procedures, operators may have different accident diagnosis and operation time when executing the procedures (Fig. 2). SOP does not depend on the specific initiating event, and it is based on the state of the unit and combined with the actual parameters to guide the corresponding accident response procedures. It can be understood as: integrating event oriented guidance into the process of state parameter cycle diagnosis, i.e. state oriented & event oriented. SOP procedure realizes closed-loop control: diagnosis-action-supervision-reorientation-action. SOP adopts cycle structure to diagnose the unit status and equipment availability. SEOP uses event orientation to deal with accidents in time. When complex accidents such as superimposed accidents occur, it uses symptom guidance to diagnose and deal

474

Q. Wu et al.

Fig. 2. Accident response strategy

with them, that is, event oriented + symptom oriented. SEOP adopts linear structure and its design principle is simple and efficient. There are great differences in the staffing of different accident response procedures. These are the key scenarios that affect the basic data of operator diagnosis and operation time, which need to be determined first. Response Process After the initial accident is determined, the response process is completed under the specific accident procedures. There is great differences between SOP and SEOP (Figs. 3 and 4).

Fig. 3. SOP process

Research and Application of Time-PSF Calculation Method

475

Fig. 4. SEOP process

Taking SOP as an example, the processing flow is as follows: Step 1: determine the calculation example (taking “MBLOCA (superimposed cooling failure)” as an example; Step 2: determine the first accident; Step 3: enter DOS to start diagnosis; Step 4: enter ECP2 according to DOS diagnosis; Step 5: enter ECP4 according to ECP2-SEQ2; Step 6: …… It should be noted that step 2 is determined, and step 3 to the subsequent steps can be implemented in strict accordance with the requirements of the procedures (while SEOP shall implement procedures E and F as required). The whole process includes diagnosis and action. The basic data of diagnosis and operation time are generated in this module.

476

Q. Wu et al.

Calculation Method The data acquisition and calculation module performs the data acquisition and calculation work in the above processing flow. For SOP, the calculation formula is as follows: Td =

n 1

(TDn ×k) +

m 1

⎫ ⎧⎡ ⎤ NSj 7 ⎨  NIi ⎬     ⎣ (TDm × k) + TIiq ×k + TSjq ×k ⎦ × k ⎭ ⎩ q=1

Te =

r

1

i=1

j=1

(TEr ×k)

Where: Td = diagnosis time. Te = action time. TDn = time for DOS procedure diagnosis. TIiq = time for executing ECPq-IO procedure diagnosis. TSjq = time for executing ECPq-IO procedure diagnosis of item Q. NIi = total number of pages executed by Q-ECPq-IO procedure. NSj = total pages executed by ECPq-SEQ procedure. TDm = time for DOS procedure action. TEr = time for ECP procedure action. k = 1 If the processing flow needs to execute item Q or page I or page J, k = 0, if the processing flow does not need to execute item Q or page I or page J; Note: ECPq-IO: IO part of procedure ECPq, such as ecp4-io; ECPq -SEQ: SEQ part of procedure ECPq, such as ECP4-SEQ4. It should be noted that: 1. At the beginning of the interview, it is necessary to make clear the accident situation with the operator; 2. The operation time depends on the operator’s implementation process and accident development process; 3. The processing time of each page of procedures is the basic data to be collected. For SEOP, the calculation formula is as follows: Td = Te =

a 1

x 1

(TEa ×k) + (TEx ×k) +

b 1

(TFb ×k)

y  TFy ×k 1

Where: Td = time needed for diagnosis, Te = time required for action, TEa = time for performing step a diagnosis of procedure e, TFb = time for performing step B diagnosis of procedure F, TEx = time for performing step X of procedure e,

Research and Application of Time-PSF Calculation Method

477

TFy = time for performing step y of procedure F, k = 1, if step a or b or x or y is required for processing flow; k = 0, if step a or b or x or y is not required for processing flow. Time-PSF Assessment The Time-PSF was evaluated according to NUREG/ CR-6883, the section of Time-PSF value selection is shown in the following Table 1 [8]: Table 1. Table of time-PSF assessment.

Power operation diagnosis part

Power operation action part

Low power operation diagnosis part

PSF Level

Accident diagnosis value

Not enough time

P(failure) = 1.0

Just enough time (≈ 2/3 times nominal time)

10



Nominal time

1



Sufficient time (1–2 times of nominal time and >30 min)

0.1



A lot of time (>2 times nominal time and >30 min)

0.01



Lack of information

1

Not enough time

P(failure) = 1.0

Just enough time (≈ required time)

10



Nominal time

1



Sufficient time (≥5 times the required time)

0.1



A lot of time (≥50 times the time required)

0.01



Lack of information

1

Not enough time

P(failure) = 1.0

Just enough time (≈ 2/3 times nominal time)

10



Nominal time

1



Sufficient time (1–2 times of nominal time and > 30 min)

0.1



Detailed reasons for selecting this PSF level are described in this column





(continued)

478

Q. Wu et al. Table 1. (continued) PSF Level

Accident diagnosis value

A lot of time (>2 times nominal time and > 30 min)

0.1–0.01

Lack of information

1

Low power Not enough time operation action part Just enough time (≈ required time)

Detailed reasons for selecting this PSF level are described in this column

 

P(failure) = 1.0 10



Nominal time

1



Sufficient time (≥5 times the required time)

0.1



A lot of time (≥50 times the time required)

0.01



Lack of information

1



3 Examples of Application of the Method In this part, the quantitative process of Time-PSF will be described in detail. Taking “MBLOCA (superimposed cooling failure)” as an example, the diagnosis time depends on the accident response procedures. 3.1 Quantitative Process Based on SOP Based on the calculation method of SOP, the following steps are carried out: Step 1: Determine the calculation example This example takes the “MBLOCA (superimposed cooling failure)” event as an example; Step 2: Determine the accident response procedures The implementation example takes SOP as an example; Step 3: The task analysis of this example The initial accident: the reactor building radioactive alarm appears, the primary circuit pressure continues to drop, resulting in the automatic shutdown and safety injection; Step 4: Time calculation of this example Example step 1 DOS diagnosis: execute the first page to the fifth page of DOS procedure, and the execution time of each page is 2 min, 3 min, 0.5 min, 0.5 min and 1 min.

Research and Application of Time-PSF Calculation Method

479

 The diagnostic time of DOS = n1 (TDa × K) 2 + 3 + 0.5 + 0.5 + 1 = 7 min; Similarly, ECP2 diagnosis time = 4 + 1 + 5 + 1 + 1 = 12 min; ECP2 action time = 4 + 5 = 9 min; ECP4 diagnosis time = 4 + 1 + 1 + 1 + 2 = 10 min; ECP4 action time = 4 min. Step 5: Time-PSF value evaluation Diagnosis time: 38 min, compared with the available diagnosis of thermal engineering calculation, value according to the table; Action time: 4 min, compared with the available action of thermal engineering calculation, take value according to the table (Fig. 5). 3.2 Quantitative Process Based on SEOP The calculation method based on SEOP performs the following steps: Step 1: Determine the calculation example This example takes the “MBLOCA (superimposed cooling failure)” event as an example; Step 2: Determine the accident response procedures The implementation example takes SEOP as an example; Step 3: The task analysis of this example The initial accident: the reactor building radioactive alarm appears, the primary circuit pressure continues to drop, resulting in the automatic shutdown and safety injection; Treatment process: in SEOP, the reactor trip and safety injection are triggered after the primary circuit break, and E00 diagnostic procedures are implemented. Suppose that the three SGs lose all water supply and F31 red light is on, the time of entering F31 procedure is close to SG failure time. Step 4: Time calculation of this example According to e procedure, the expected time is 5 –10 min. The time of each step is as follows:1−0.5 m, 2−1 m, 3−0.5 m, 4−0.5 m, 5−1 m, 6−0.5 m, 7−1 m, 8−2 m, 9−1 m, 10−3 m, 11−1 m, 12−2 m, 13−2 m, 14−2 m, 15−1 m, 19−1 m, 20−1 m, 21−0.5 m, 22−1 m, 23−3 m, 24−1 m. Diagnosis time = 0.5 + 1 + 0.5 + 0.5 + 1 + 0.5 + 1 + 2 + 1 + 3 + 1 + 2 + 2 + 2 + 1 + 1 + 1 + 0.5 + 1 = 2.5 + 10 + 8 + 3 = 23.5 min, Action time = 4 min. Step 5: Time-PSF value evaluation Diagnosis time: 23.5 min, compared with the available diagnosis of thermal engineering calculation, value according to the table; Action time: 4 min, compared with the available action of thermal engineering calculation, take value according to the table (Fig. 6).

480

Q. Wu et al.

Fig. 5. Example of accident response process for SOP

Research and Application of Time-PSF Calculation Method

481

Fig. 6. Example of accident response process for SEOP

4 Conclusions In this paper, the quantitative process of Time-PSF in HRA of nuclear power plant is introduced. Taking “MBLOCA (superimposed cooling failure)” event as an example, the processing flow based on SOP and SEOP accident response procedures is analyzed respectively. Through the quantitative methods and application examples, it can be seen that clear human error event information is helpful for interviewees to obtain highly

482

Q. Wu et al.

consistent cognition, and different accident response strategies may obtain different accident response time. The method proposed in this paper solidifies the process, ensures that the analysis has reasonable and consistent preconditions, solves the problem of difficult acquisition of basic data, makes time PSF assessment more accurate and reliable, and improves the accuracy of personnel error probability (HEP) evaluation in digital main control room, so as to provide reference for HRA staff. In addition, through the implementation of the calculation method, it is helpful to analyze the relevant actions with high probability of human error, and further optimize the function allocation and system design.

References 1. Zhang, L., et al.: Human Reliability of Digitalized Nuclear Power Plants, National Defense Industry Press, Beijing (2019) 2. IAEA: Procedures for Conducting Probabilistic Safety Assessments of Nuclear Power Plants (Level 1), Safety Series No. 50-P-4 (1992) 3. Zhang, J.J., et al.: The study of HRA methods in level 2 PSA. Nucl. Sci. Eng. 37(1), 35–41 (2017) 4. Zhang, L., et al.: Methods for human reliability analysis. China Saf. Sci. J. 11(3), 6–16 (2001) 5. Gao, J., et al.: Analysis on human reliability: history, demand and progress. China Saf. Sci. J. 13(12), 44–47 (2003) 6. Zhang, L., et al.: Human reliability analysis in Third Qin Shan nuclear power plant. Atom. Energy Sci. Technol. 46(4), 416–421 (2012) 7. He, X.H., et al.: Human Reliability Analysis in Industrial System: Principle, Method and Application, Tsinghua University Press, Beijing (2007) 8. Guttmann, H.E., et al.: The SPAR-H human reliability analysis method. NUREG/CR-6883, September 2007

Reliability Assessment Research and Application for PCBA Solderless Press-In Connection Technique in DCS Safety Class Devices in Nuclear Power Plants Zhong-Qi Liang, Jian-Gang Li(B) , Rui-Feng Zhang, and Lian-Chun Wang China Techenergy Co., Ltd., Beijing 100094, China [email protected]

Abstract. The press-in terminal is a special-shaped cross-section suitable for press-in connection. According to the different design of the press-in connection, the press-in connection is divided into two processes: solid press-in connection and flexible press-in connection. This paper mainly analyzes the requirements of the PCBA flexible solderless press-in connection process introduced in the DCS safety equipment of nuclear power plants, identifies the key control requirements. The test items are determined by the design of the application scheme, and various forms of tests are conducted. The data of test is obtained. Based on the test results analyzed, the reliability of the flexible press-in connection process implementation is verified, which laid the foundation for the application of the later flexible press-in connection process, and can also form a set of evaluation methods for the flexible press-in connection process.

1 Background Introduction The PCBA solderless press-in connection technique is fitting the elastic deformable pins or rigid pins into the metallized holes of PCB, to form close contact between the pins and metallized holes, and realize electrical connection by mechanical connection. The continuous development of electronic products has put forth daily increasing requirements on product consistency and high density. Compared with soldering, the features and advantages of press-in connection are embodied in: no thermal stress produced on the PCB; no conducting substance such as residual flux or solder bead left that may affect reliable connection; determined contact impedance and good high frequency performance; high efficiency and low cost; and good maintainability. It is already not possible to do soldering for small connectors with fine spacing and multi-row pins with previous techniques, and the press-in connection technique has been widely accepted and applied for its very high reliability and easy operation. Today, PCBA solderless press-in connection technique has been widely applied in products with high reliability requirements (such as military industry, railway and automobiles); in view of its advantages, the PCBA solderless press-in connection technique has also been adopted by CTEC in the devices of nuclear class digital I&C systems. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 483–489, 2021. https://doi.org/10.1007/978-981-16-3456-7_47

484

Z.-Q. Liang et al.

According to the analysis in HAF601 and HAF003 on the process control requirements for safety class cards [1, 2], the reliability of PCBA solderless press-in connected products mainly depends on the technical fitting of press-in connection ends and the PCB before plating, and visual check alone is not sufficient to verify its reliability, therefore, a set of objective and effective type test methods is required for the assessment.

2 Demand Analysis At present, the technical requirements of the electronic assembly industry on PCBA solderless press-in connection are mainly based on: the international standard IEC 603525:2012 Press-in connection - General requirement, test methods and practical guidance and the Chinese national standard GB/T 18290.5-2000 Solderless connections - Part 5: Solderless press-in connections - General requirements, test methods and practical guidance, and in summary, the main requirements include the following: Press-in connection equipment. The equipment needs to fully control the pressure, press-in distance and speed, to ensure correct application of these factors for different products. Press-in connection ends. It is confirmed in design type selection that the materials, dimensions, surface coating and structural characteristics of the connection ends (connection elements) comply with the requirements in GB/T 18290.5-2000, however, the reliable fitting of the PCB and plated holes shall be assessed for the connection elements after completion of press-in connection. PCB and plated holes. The PCB thickness is the basic guarantee for the pressin connection strength, and the required thickness is 1.5–6.4 mm [3]; for the plating layer and dimension of plated holes, the specific range of parameters are given in the Chinese national standard and IEC standard, and they are also important to ensure the stability of press-in connection technique. For the detailed requirements, refer to Table 1 Requirements on plated holes [3]. Table 1. Requirements on plated holes Diameter of plated hole after plating (mm) Solid press-in connection end

Flexible press-in connection end

--

0.8 ± 0.05

0.9 ± 0.05

0.9 ± 0.07

1.0+0.04 −0.06 1.6+0.04 −0.06

Metal layer thickness of plated hole (µm

Hole diameter (mm)

0.9 ± 0.025 Copper ≥ 25 or Copper ≥ 25

1.0 ± 0.025

1.0+0.09 −0.06

Plus tin or tin-lead

1.15 ± 0.025

1.6

Plating layer ≥ 15

175 ± 0.025

Notes: 1. Values in this table are from practical experience in applying the hole dimensions on products in various aspects. 2. The hole diameter is extremely important in determining the reliability of press-in connections.

Reliability Assessment Research and Application

485

3 Application Scheme Design According to the technical requirements on PCBA solderless press-in connection, automatic press-in connection equipment was used, with the working mode as automatic adjustment of press-in travel and force after it is set at the constant press-in speed; the whole press-in operation was performed automatically and the press-in force values are recorded in the computer. After the completion of press-in, no damage to the press-in end or PCB was found in visual check, however, whether it could provide reliable connection depended on the result of type test. The PCB thickness is 3 mm, the plated hole material is copper, plated on surface with tin, and the hole diameter range after plating complies with the requirements in the national standard. The test samples of press-in connection elements were in three types, but with the same connection end type as “needle hole” of 0.3 mm, and all in copper alloy. According to the IEC standard, the connection end manufacturer provided the maximum press-in force of the devices as 100N, and all test items in the application test were conducted according to IEC 60352-5: 2012 a [4], to verify the effectiveness and reliability of this press-in connection end. The above analysis showed that all indicators in the test met the requirements in the national standard, and can meet the process verification in the basic test. The process flow of the test is as shown in Fig. 1 Test items and process.

Fig. 1. Test items and process

486

Z.-Q. Liang et al.

Microscopic check of connection points after press-in connection is not required in the national standard, however, according to the analysis of the process control requirements in HAF003 of the nuclear power industry [2], and with reference to the requirements on press-in connection points in IEC 60352-5:2012, the metallographic section inspection was added, and the test process is as shown in Fig. 2 Test items and process.

Fig. 2. Test items and process

4 Verification Results of PCBA Weldless and Pressed-In Connection First, the sample appearance check was made, the result: no obvious physical damage, no burr or crack in the shell/side jacket, and the connector plugs and pins were all straight. Next, some samples were tested for push-out force to detect the mechanical strength in the initial state after press-in connection. The target value was no less than 10 N/pin. The values may vary for different types of terminals, and in standards, it is required that the values shall be provided by the terminal manufacturer. For specific analysis of test data, refer to Table 2 Push-out test value. Table 2. Push-out test value Number of samples Max. value (N/pin) Min. value (N/pin) Judging criterion A11–A30

24.39

20.91

B11–B30

48.93

35.57

C11–C30

29.33

24.46

Result

It is specified in Qualified IEC 60352-5: 2012 Qualified that the standard Qualified push-out force provided by the connector manufacturer shall be ≥ 10 N/pin

Reliability Assessment Research and Application

487

The contact resistance was tested twice, respectively before and after rapid temperature change, the change of data of the samples were tested before and after the external environmental stress is applied, to determine whether effective electrical connection still remains at the press-in connected contact, to verify its long-term reliability. The PCBs used this time were formal product of nuclear safety class, and the electrical connections at multiple points form volumetric resistance, therefore it was not possible to accurately measure the contact resistance of individual press-in connection points, and the analysis was focused on the change of resistance value before and after the temperature cyclic change. For specific analysis of test data, refer to Table 3 Contact resistance test value. Table 3. Contact resistance test value Sample No

Contact resistance m Before temperature impact

After temperature impact

Max. variation value

A31–A50

1.79

2.15

0.36

B31–B50

2.15

2.54

0.39

C31–C50

1.21

1.55

0.34

Judging criterion

Test conclusion

The variation value shall be ≤ 0.5 m according to IEC60352-5: 2012 qualification test

Qualified Qualified Qualified

Then comes the last item of the test, the push-out test after rapid temperature change. The same principle applies, to test if the connection points can meet the requirements a period of time after the environmental stress is applied, to verify the long-term reliability of mechanical connection. For specific analysis of test data, refer to Table 4 Push-out force test value after rapid temperature change. Table 4. Push-out force test value after rapid temperature change Sample

Max. value (N/pin)

Min. value (N/pin)

Judging criterion

A31–A50

24.24

21.19

B31–B50

46.98

39.49

C31–C50

36.02

25.69

It is specified in IEC 60352-5: 2012 that the standard push-out force provided by the connector manufacturer shall be ≥ 10 N/pin

Result Qualified Qualified Qualified

488

Z.-Q. Liang et al.

In addition, some samples were used for metallographic section examination. According to the guidelines of IEC standard, transverse and longitudinal slicing was made on press-in connection part respectively, and values were measured and the microscopic condition of the plated hole wall observed, for detailed data analysis conclusions, refer to Fig. 3 Metallographic sections.

C2 Transversal section view

C1 Transversal section view

C6 Longitudinal section view (in good condition)

A7 Longitudinal section view (in good condition)

Fig. 3. Metallographic sections

5 Verification Conclusion on PCBA Solderless Press-in Connections Through the above various forms of test data analysis, the reliability of the implementation of the solderless press-in connection process is verified; later, it can be combined with the actual product process requirements and established a set of evaluation method for connection reliability of PCBA solderless press-in type equipment in the DCS safety level equipment of nuclear power plants.

Reliability Assessment Research and Application

489

References 1. State Environmental Protection Administration: HAF601 Regulations on the Supervision and Management for Design, Manufacturing, Installation and Non-Destructive Test of Civilian Nuclear Safety Equipment (2008) 2. National Nuclear Safety Administration.HAF003 Code on the Safety of Nuclear Power Plant: Quality Assurance. Atomic Energy Press, Beijing (1991) 3. State Bureau of Quality Technical Supervision: GB/T 18290.5-2000 Solderless connections Part 5: Solderless Press-In Connections - General Requirements, Test Methods and Practical Guidance 4. International Electrotechnical Commission: IEC 60352-5:2012 Press-in Connection - General Requirement, Test Methods and Practical Guidance (2012) 5. The Institute of the Interconnecting and Packing Electronic Circuit: IPC- A- 610 Acceptance conditions for electronic assemblies

Research on the Application of Human Factors Engineering in the Physical Protection System of Nuclear Facilities Bi-Yao Wang(B) , Hua-Ping Chen, Jian Liu, Ji-Wei Zhang, Shuang Li, Qian Zhang, and Zhen-Hua Luan State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. In the past few years, human-caused failures have occurred frequently at the nuclear power plant, such as the wrong forcing of signals, the wrong interval, and improper operation. They all have directly produced serious consequences. In the physical protection system, security personnel misoperations occurred in multiple projects, resulting in varying degrees of damage to the equipment. Therefore, how to effectively improve the reliability and effectiveness of the civil air defense of the physical protection system becomes particularly important. This article uses Human Factors Engineering to realize the optimization of the physical protection system in terms of environmental design, work area layout, equipment maintenance space and alarm management, so that security personnel can improve work efficiency in a comfortable environment, and achieve the best between man, machine and environment. Keywords: Physical protection system · Human factors engineering · Optimization · Environmental design · Work area layout · Equipment maintenance space · Alarm management

1 Introduction Physical protection is responsible for the control of dozens of entrances and exits of the whole factory and the perimeter safety management of several kilometers. In case of invasion or other alarm events, personnel in Security building and guard room must respond in time to ensure that the response force can control the invasion in time. Therefore, personnel in Security building and guard room take turns on duty 24 hours a day to ensure the reliability and effectiveness of civil air defense. Therefore, how to reduce the fatigue of security personnel through Human Factors Engineering and improve the work efficiency of security personnel in a comfortable environment directly affects the prevention capability of the whole Physical Protection System. At the same time, the reliability of physical protection is further improved by optimizing the operating equipment through the Human Factors Engineering. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 490–504, 2021. https://doi.org/10.1007/978-981-16-3456-7_48

Research on the Application of Human Factors Engineering

491

Based on Human Factors Engineering’s theory, this paper makes the design of Physical Protection System’s man-machine-environment system conform to the physical structure and physiological and psychological characteristics of security personnel, realizes the best matching among man, machine and environment, and enables workers under different conditions to work effectively, safely, healthily and comfortably. At the same time, according to the research route of “human factor design investigation-on-thespot investigation-human factor design optimization”, the application of Human Factors Engineering in Physical Protection System is discussed by making full use of the actual situation of the project.

2 Analysis of Human Factors Engineering in the Physical Protection System of Nuclear Facilities In 2017, the author investigated the existing problems in environmental design, work area layout, alarm optimization and other aspects of five nuclear power projects in operation (replaced by A, B, C, D and E) through questionnaires. A total of 85 questionnaires were sent out and 68 questionnaires were recovered, including 13 for Project A, 10 for Project B, 28 for Project C, 7 for Project D and 10 for Project E. All the personnel involved in the investigation have worked in the field of physical protection for many years. According to the survey data, the statistical results obtained are shown in Fig. 1 below. According to the investigation results, we can see that the irrationality in environmental design, work area layout and alarm management is high. It is essential to optimize the Human Factors Engineering in these aspects. Through further on-site investigation, physical protection can be optimized in Human Factors Engineering from the following four typical directions. a) Environmental Design-Optimize the lighting of Security building. Aiming at the problems that the illuminance of some areas in Security building cannot meet the requirements and there are dead corners of lighting, the lighting model of the working area is constructed. It is necessary to put forward a solution to the unreasonable temperature and humidity of guard room, optimize the temperature difference between Security building work area and equipment, use building materials and corresponding measures to reduce the impact of noise on site personnel, and improve the vigilance and comfort of personnel. b) Work area layout design-Computerized Operating Work Station design, architectural design, seat design, etc. are optimized based on Human Factors Engineering. c) Optimal Design of Alarm Classification Management-Classify and classify different alarms in Physical Protection System, and develop a list of physical protection alarms. d) Equipment maintenance personnel design-design and put forward clear requirements for physical protection equipment maintenance space and drawings to improve the efficiency and comfort of maintenance personnel.

0.00% 1. Guard room lighƟng brightness of work area 2. Guard room lighƟng brightness of equipment area 3. Security building lighƟng brightness of work area 4. Security building equipment room lighƟng brightness 5. Security Room temperature humidity 6. Security building equipment room lighƟng brightness 7. Security building color uniform collocaƟon 8. Guard room noise 9. Security building noise 10. Fire prevenƟon in guard room 11. The X-ray machine block that line of sight 12. Security building structure 13. Distance between Security building display screen and… 14. Guard room seat adjustability, shock absorpƟon 15. Guard room seat footrest 16. Guard room seat back, armrest 17.Security building seat adjustment and shock absorbing 18. Security building seat footrest 19. Security building seat back, armrest 20. Security building works in two ways: siƫng and standing 21. Security building bend to stand space 22. Space during equipment maintenance 23. Alarm classificaƟon 24. Security building set up file storage cabinet 25. Security building communicaƟon Ɵmely and smooth

492 B.-Y. Wang et al.

A StaƟsƟcal results of human factor raƟonality in physical protecƟon system

100.00%

90.00%

80.00%

70.00%

60.00%

50.00%

40.00%

30.00%

20.00%

10.00%

Degree of irraƟonality

Fig. 1. A statistical results of human factor rationality in physical protection system

3 Optimization Design of Human Factors Engineering in the Physical Protection System of Nuclear Facilities

3.1 Environmental Design

3.1.1 Lighting

According to the data of environmental design lighting in Sect. 2, the lights in Security building, guard room all have certain shadow, reflected light and glare phenomena. According to Human Factors Engineering theory, the lighting has an important influence on the work efficiency of operators. Whether the lighting conditions are reasonable or not directly affects the fatigue degree of the eyes, and the personnel need to take turns on duty 24 hours a day in Security building. Therefore, how to design a scientific and reasonable lighting environment to reduce the fatigue and drowsiness of the operators

Research on the Application of Human Factors Engineering

493

and reduce the probability of the operators making mistakes due to lighting defects is the focus of this section. According to the investigation results and project investigation, the main problems of lighting in Security building are found: 1) Security building lighting uses a single lamp, which leads to illuminance in the working area not meeting the requirements and dead corners of lighting. 2) The distribution of lamps is unreasonable, resulting in reflected light and glare in some areas. 3) The lighting angle of lamps is unreasonable and there is shadow on the operating table. According to “HAF-J0055-1995 Human Factors Engineering Principle for Nuclear Power Plant Control Room Design” [1], the specific requirements for lighting include: average illuminance of 100–500 lx, adjustable. the uniformity shall not be less than 0.7. Therefore, referring to the lighting standard, it is suggested that the average illuminance in Security building should be 100–500 lx and the uniformity should not be less than 0.7. According to the investigation results, aiming at the problems that the illuminance of the working area cannot meet the requirements and there are dead corners of lighting, an optimization scheme is proposed to construct the lighting model for the working area of Security building, and Security building is divided into five areas for optimal lighting design. According to the divided areas, referring to “GB50034-2013 Building Lighting Design Criteria” [2], the following table is proposed for the illuminance requirements of each area in this design (Table 1): Table 1. Regional illustration design requirements. Partition

Lighting design requirements Recommended value

Target value

A project design illuminance

B project design illuminance

Design illuminance of this plan

Area 1

100–700 lx

350 lx

491 lx

690 lx

300–500 lx

Zone 2

100–700 lx

250 lx

386 lx

649 lx

200–500 lx

Zone 3

100–650 lx

400 lx

422 lx, 387 lx

562 lx

200–400 lx

Zone 4

100–700 lx

500 lx

405 lx

575 lx

100–500 lx

Area 5

0–650 lx

500 lx

433 lx

823 lx

100–500 lx

Security building lighting is mainly provided by the hidden tube lamp of the ceiling through the diffuse reflection of the ceiling. The main specifications are 1.2 m and 0.6 m tube lamps. 36 W T8 tube (1.2 m) and 18 W T8 tube (0.6 m) are preferred for simulation. The specific modeling scheme is as follows (Fig. 2):

494

B.-Y. Wang et al.

Fig. 2. Stereoscopic front view of lighting model in Security building.

Finally, the regional illuminance distribution is simulated. According to the division of regions, the average illuminance and uniformity are calculated by taking points. The calculation of taking points on the illuminance distribution map is deviated from the following calculation because the position of taking points cannot be accurate. Accurate simulation of the location of the point is required in actual engineering use (Table 2). Table 2. Calculation results of regional illumination. Area 1: Control area

Measuring point

1

2

3

4

5

Illuminance

369 lx

415 lx

483 lx

407 lx

475 lx

Measuring point

6

7

8

9

10

Illuminance

402 lx

410 lx

411 lx

471 lx

454 lx

Average illuminance

430 lx

Uniformity

0.86

Area 2: Surveillance zone Measuring point

11

12

13

14

15

Illuminance

368 lx

421 lx

381 lx

439 lx

481 lx

Measuring point

16

17

18

19

20

Illuminance

383 lx

339 lx

354 lx

402 lx

488 lx

Average illuminance

406 lx

Uniformity

0.84

Area 5: Maintenance area Measuring point

Area 4: Gateway district

21

22

23

24

25

Illuminance

346 lx

246 lx

188 lx

231 lx

387 lx

Average illuminance

280 lx

Uniformity

0.67

Measuring point

26

27

28

29

30

Illuminance

214 lx

274 lx

295 lx

259 lx

208 lx

Average illuminance

250 lx

Uniformity

0.86 (continued)

Research on the Application of Human Factors Engineering

495

Table 2. (continued) Area 3: Auxiliary control area

Measuring point

31

32

33

34

35

Illuminance

267 lx

208 lx

234 lx

182 lx

297 lx

Measuring point

36

37

38

39

40

Illuminance

237 lx

135 lx

278 lx

276 lx

307 lx

Measuring point

41

42

43

44

45

Illuminance

261 lx

253 lx

214 lx

222 lx

196 lx

Measuring point

46

Illuminance

187 lx

Average illuminance

234 lx

Uniformity

0.58

According to the calculation, the illuminance of the five areas obtained is shown in Table 3 below, which shows that the illuminance of the areas can meet the lighting requirements. But at the same time, Security building’s light sources are arranged for the purpose of neatness. The uniform arrangement mode leads to over-strong illumination in some areas due to superposition, and insufficient illumination in some areas. At the same time, in order to take care of the surrounding areas and make them reach the standard illumination, it is bound to cause over-strong illumination in some areas, resulting in too low uniformity. Therefore, how to improve uniformity and reduce reflected light, glare and shadow needs further research. Table 3. Comparison of regional illustration in security building. Partition Lighting design requirements Target value

Result value Uniformity

Area 1

300–500 lx

430 lx

0.86

Area 2

200–500 lx

406 lx

0.84

Area 3

200–400 lx

234 lx

0.58

Area 4

100–500 lx

250 lx

0.86

Area 5

100–500 lx

280 lx

0.67

In addition, in order to optimize Security building lighting, wall decoration should ensure low glare and ceiling should provide scattered and indirect light sources. Bare lamps should not be seen from the lighting space. The paint used should be neutral in color, such as light brown, and the surface should be flat or semi-frosted. Display screens and other surfaces of indicators using glass surfaces or resin glass shall adopt low glare materials or other glare reduction technologies. Equipment signs

496

B.-Y. Wang et al.

shall be made of low glare materials, and bare metal surfaces shall be painted with non-reflective substances or paint. 3.1.2 Temperature and Humidity According to the investigation results of the temperature and humidity part of the environmental design in Sect. 2, the temperature and humidity setting on the current project is unreasonable and cannot meet the needs of human body. Therefore, according to the number of personnel and equipment load in the building, and referring to “GB50348-2018 Operating Technical Specifications for Safety Prevention Engineering” and “GB288789 Specification for computation center field” [3, 4], the temperature and humidity requirements for Security building and guard room are as follows: a) The normal mean temperature of Security building, guard room should be controlled within the range of 18 °C–25 °C; b) The temperature difference between the top of the head and the floor shall not exceed 5.5 °C; c) Relative Humidity should be controlled between 20% and 60%. d) Humidity changes should be consistent with seasonal/climate changes, i.e. Increasing humidity when cold and decreasing humidity when warm. 3.1.3 Noise According to the investigation results of the noise part of the environmental design of the 2nd installation, the noise of guard room mostly comes from passing vehicles, on-site construction, indoor air conditioning and plant-wide test broadcasting. According to Human Factors Engineering’s principle and “GB22337-2008 Emission standard for community noise” [5], the noise of guard room and Security building should ensure that it should not affect the voice communication of operators between any two points. In addition, the interference and stimulation to hearing should be minimized to reduce hearing fatigue. The background noise intensity should not exceed 45 decibels. Therefore, it is suggested that sound-absorbing materials should be installed in the ceiling to control noise and vibration in view of the noise in guard room. At the same time, bulletproof glass should be used in guard room, glass gel should be used at intervals, and central air conditioning should be used for temperature and humidity adjustment. 3.1.4 Set Filing Cabinet Security building personnel usually use some reference documents at the same time when operating. As a complete Computerized Operating Work Station, they need to meet various needs. At present, no special filing cabinet has been designed for each project Security building, resulting in random placement of data everywhere, excessive search time and reduced work efficiency. Therefore, filing cabinets need to be set up in Security building, and all reference documents should be placed in a place that is easy to take and place in Security building. Location tags shall provide clear tags for each type of document. Labels should distinguish between various documents as much as possible. Easy-to-use documents should

Research on the Application of Human Factors Engineering

497

not be fixed on the document rack for easy access. Documents need to be bound in order to maintain the original order during Opened. Storage space for articles such as alarm logs, such as storage cabinets, etc. shall be provided. Documents should be stored separately and easily accessible. 3.2 Layout Design of Security Building Work Area 3.2.1 Overview of Security Building Workspace Security building is divided into several areas, with operators mainly operating near Computerized Operating Work Station. Therefore, the display equipment on the operating table, the appearance design and arrangement of the Computerized Operating Work Station, and the arrangement of the TV wall should conform to the principle of Human Factors Engineering, so as to ensure that the operator can use it accurately and conveniently, and the probability of misoperation caused by human errors can be minimized under normal and emergency conditions. According to the survey results of work area layout design in Sect. 2, Computerized Operating Work Station design in Security building cannot meet the requirements of Human Factors Engineering. In order to better improve the design in line with Human Factors Engineering’s Computerized Operating Work Station, we must first summarize and analyze the existing problems in the project, and then improve these problems to design a Computerized Operating Work Station in line with human physiological, psychological and anatomical characteristics, so as to improve the operator’s comfort and work efficiency during operation. The following deficiencies in Security building Computerized Operating Work Station’s design have been sorted out. 1) Computerized Operating Work Station’s desktop is not wide enough. Too narrow a width makes the operator’s wrist and forearm suspended, and the muscles are always in a state of tension. When using a sitting posture for a long time, the part contacting the chair surface will lack blood circulation and generate nerve pressure, thus causing physical discomfort and mental fatigue, which is so easy to induce serious occupational diseases for a long time. 2) Computerized Operating Work Station’s desktop is not long enough. The equipment on the Security building operating table occupies the whole Computerized Operating Work Station, and the operator feels crowded when operating, which is caused by the insufficient length of the table. 3) Computerized Operating Work Station’s desk is not far from the bottom to the ground. The distance from the bottom of the Computerized Operating Work Station table to the ground determines the convenience of the operator when sitting and standing up. If the distance is not enough, some tall operators will be inconvenient when sitting. 4) The distance between Computerized Operating Work Station and the TV wall is not comfortable. If the distance between the Computerized Operating Work Station and the TV wall is too close, the operator’s sight distance will be too short when working, which is easy to cause asthenopia, which is not conducive to vision health and reduces work efficiency for a long time.

498

B.-Y. Wang et al.

5) The comprehensive design of the chair does not meet the requirements of the structural characteristics of the human body in human factors. In the design of chairs, the structural characteristics of the human body are not fully considered. The backrest is close to vertical, the position of the backrest is somewhat low, the seat surface is low, and sometimes it shifts downward by a certain angle due to fixed problems. The problems of these chairs will lead to waist soreness and leg numbness when the operator sits for too long. 3.2.2 Working Area Design Principles The types of operators’ work include sitting and standing dual-purpose type, standing posture control type and sitting posture control type. According to the survey data of working area layout in Sect. 2, Security building operators all work in the dual-purpose mode of sitting and standing. Computerized Operating Work Station design mainly considers the following factors: a) b) c) d)

Computerized Operating Work Station height. Computerized Operating Work Station’s length, width and control depth. Display the location of the device and the distance from the TV wall. Knee space.

The research results mainly refer to “GB10000-1988 Human Body Size of Chinese Adults” [6], and suggest that the human body size should be counted according to the actual situation of power plant operators during the implementation of the project. Security building operators need continuous attention movement to monitor TV walls and display equipment areas, and operate in a sitting position to complete tasks. Therefore, it basically adopts the dual-purpose mode of sitting and standing. According to the Chinese body measurement standard, the specific size of the Computerized Operating Work Station shall meet the following requirements. 1) The distance from the table top to the ground should be within 680 mm–760 mm. 2) The depth of the working face shall not be less than 400 mm. 3) If only reading and writing tasks are involved, the width of the working face shall not be less than 600 mm; if other tasks are required, the width of the working face shall not be less than 760 mm. 4) The knee space height of the sitting Work Station, i.e. the distance from the lower surface of the table to the ground, should not be less than 630 mm. 5) The depth of knee space shall not be less than 460 mm. 6) The width of the knee space should not be less than 520 mm (the larger the width, the better). 7) The operator shall be able to distinguish all important picture details on the TV wall at the maximum sight distance. The height of letters and numbers should not be less than 15 points of view at the maximum sight distance. In addition, Work Station’s design also includes seats matching Computerized Operating Work Station. Key considerations include mobility, comfort of backrest and armrest, adjustability of seat, shock absorption and setting of foot rest.

Research on the Application of Human Factors Engineering

499

a) Mobility The chair should be movable so that the operator can easily adjust its position. It is recommended to sit in a Work Station with a chair with a movable base (i.e. with wheels). b) Backrest The chair should have a backrest not lower than the lumbosacral area of the human body. c) Armrest In order to allow the operator’s elbow to rest in a natural posture, Main Control Room should provide chairs with armrests, and the armrests can be adjusted or retracted as needed. d) Shock absorption The seat and backrest shall be cushioned with compressible materials so that the operator still has appropriate elasticity when sitting on the chair. e) Seat Size In order to avoid fatigue caused by extrusion on the back of thighs and knees, resulting in blood circulation problems, the seat width is 370 mm–420 mm (recommended value is 400 mm), and the seat depth can be in the range of 360 mm–390 mm (recommended value is 380 mm). f) Seat Adjustment The seat should have a large height adjustable range, which can be adjusted to the sitting posture eye height and the standing posture eye height are basically the same. The minimum adjustment range of seat height is 360 mm–480 mm. g) Footrest When the height adjustment range of the seat or worktable top cannot make the user’s feet flat on the ground, a foot rest of appropriate height should be provided. 3.3 Optimization of Equipment Maintenance Space In order to facilitate the operation of maintenance personnel, all equipment needs to be maintainable. In order to be able to quickly, conveniently and economically repair the system in case of failure, it should be considered in the design stage. Maintenance activities are ultimately completed by maintenance personnel with the help of corresponding Maintenance Equipment. In the design stage, maintenance personnel and Maintenance Equipment should be ensured to be able to easily reach the maintenance position and operate freely, which is embodied in the following aspects: 1) Ensure the accessibility of maintenance personnel: The maintenance Gateway should be reasonably set to ensure that maintenance personnel can quickly and conveniently reach the maintenance position. Nuclear Power Plant Protection Zone Fence is a double-layer fence. A closed isolation belt is formed between the two fences. Physical protection equipment such as intrusion detection and video monitoring are installed in the isolation belt. If this part of equipment fails, maintenance personnel are required to enter the isolation belt for troubleshooting and maintenance. Therefore, a special Gateway for maintenance can be set up on the fence.

500

B.-Y. Wang et al.

2) Ensure the convenience of maintenance work: When designing TV walls, cabinets and control boxes, the position, posture and movements of maintenance personnel should be considered to provide appropriate operation space, such as height, depth, door opening direction, etc., so as to avoid maintenance personnel from kneeling, lying, squatting and other prone fatigue or injury postures to carry out maintenance work and provide good convenience for maintenance personnel. In the design of civil structures, the requirements of equipment maintenance should also be considered. For example, the optical fiber fence detector installed at the bottom of the rainwater well needs to be taken out of the ground for maintenance. If the rainwater well has a closed-up structure, which may cause the equipment to be unable to be put in or taken out, the corresponding rainwater well structure design can be provided with a special equipment maintenance tank. 3) Ensure accessibility of maintenance equipment: The accessibility of Maintenance Equipment should be considered in the layout design of the physical protection Item Concerned, The optical fiber fence detector installed at the bottom of various pipe trenches and culverts shall be taken out from the bottom of the well by a crane when it fails or is overhauled. The crane operation area shall be fully considered in the design stage to avoid the crane being unable to reach the operation area due to unreasonable arrangement scheme. In addition, drawings, as an important basis for maintenance work, are of great significance to maintenance efficiency. The following points should be paid attention to when drawing is prepared: 1) The drawings are clear and unambiguous: All information in the drawings shall be clear and uniform legend symbols and name rules shall be implemented, and all component marks shall be unique. 2) Operation and Maintenance Manual available: Operation and Maintenance Manual is used to guide maintenance work, and the depth and breadth of Operation and Maintenance Manual should be ensured to meet maintenance requirements. 3) The drawings consider maintenance requirements: For equipment with high maintenance frequency, a power distribution diagram, wiring diagram and detailed drawing can be published to facilitate inspection and use in maintenance and improve maintenance efficiency. 3.4 Physical Protection System Alarm Management The existing Physical Protection System platform mainly adopts foreign platforms, and its openness is not ideal, so the alarm management cannot be customized according to the user’s use requirements. There are no clear requirements and standards for classification and each power plant formulates it by itself, resulting in differences among power plants. In addition, the existing security platform alarm class is basically a single output alarm, lacking big data analysis of alarms/events to provide intelligent alarm output.

Research on the Application of Human Factors Engineering

501

In view of the above-mentioned problems, in order to reduce the load of security guards and improve the efficiency of alarm management, the functional design and display design of the alarm system should solve the following human factors: 1) Classification of physical protection alarm types and standardization of corresponding alarm processing are used for the development of Software platform. 2) Clarifying the classification of physical protection is conducive to shortening the design cycle of the system and improving the effectiveness of users’ operation and maintenance. 3) According to the physical protection requirements and signal sources, the schematic diagram is designed, which is conducive to intelligent analysis of event data and provides security risk assessment data. 3.4.1 Physical Protection System Alarm Classification Physical protection alarm is to output abnormal states such as external intrusion, equipment and power supply. Among them, “HAD501/03 Nuclear Facilities Perimeter Intrusion Alarm System” Guidelines and “NB/T 20027-2010 Nuclear power plants-main control room-alarm functions and presentation” have the following specific requirements for alarm [7, 8]. Design requirements are as follows. 1) This unit should give a status display for the following events: 2) Normal status display; 3) When external invasion occurs, sound and light alarm displays shall be given at the same time, and the location where the alarm occurs shall also be displayed. 4) Indications of the fortification and withdrawal status of each detection area; 5) Indication when the main Power Supply fails and the standby Power Supply is switched; 6) Indications in the event of any failure (including natural failure and man-made failure) that prevents the normal operation of the system; 7) Indication when any part of the system cannot function properly due to Power Supply; 8) Indication of any tampering that prevents the normal operation of the equipment (such as opening, short circuit or grounding the detector circuit, etc.); 9) Indication of failure to transmit information. Performance Requirements are as follows. The required signal display shall be accurate, reliable, obvious and easy to identify. Physical protection alarm classification refers to classification according to alarm nature. According to HAD501/03 “Nuclear Facility Perimeter Intrusion Alarm System” Guidelines [5], physical protection alarms can be classified as follows according to the nature of the alarm.

502

B.-Y. Wang et al.

1) Risk: risk and early warning output after calculation, analysis and evaluation of event classification data; 2) Alarm: for intrusion, entrance guard, intelligent video system logic judgment realtime output alarm; 3) Failure: equipment, system power supply, communication failure alarm. 3.4.2 Physical Protection System Alarm Classification According to the description of alarm priority in alarm processing, the following is true: 1) The alarm of HL1000 is divided into four severity levels:

Severity Level 1 Severity Level 2

Severity Level Decrease

Severity Level 3 Severity Level 4 2) Different color codes are used to distinguish alarms with different severity levels:

Purple is used for severity level 1 Red for Severity Level 2 Yellow for severity level 3 Cyan for severity level 4 According to the alarm processing, the physical protection alarm is classified according to the severity of the event, from level 1 to level 4. 1) Level 1: Indicates that there is a serious threat to nuclear materials and facilities. It is a level 1 alarm and is coded in purple. 2) Level 2: Indicates that there is a direct threat to nuclear materials and facilities. It is a level 2 alarm and is coded in red. 3) Level 3: Indicates that there is a general threat to nuclear materials and facilities. It is a level 3 alarm and is usually coded in yellow. 4) Level 4: Indicates that there is a potential threat to nuclear materials and facilities. It is a level 4 alarm and is usually coded in cyan. According to the classification and classification of Physical Protection System alarm and Physical Protection System alarm logic diagram and alarm classification list is finally designed.

Research on the Application of Human Factors Engineering

503

4 Application This technical achievement can achieve as follows. 1) The illuminance lighting scheme is helpful to solve the problem that the illuminance of the work area cannot be full meet the requirements and lighting blind spots. 2) The specific size of the operating table is designed according to the ergonomic principle to ensure that the operator can accurately and conveniently use. It can minimize the probability of misoperation caused by human error in both normal and emergency situations. 3) By putting forward clear requirements for the maintenance space and drawing design of physical protection equipment, it is convenient to reach the location of the maintenance and can be operated freely, which improves the efficiency and comfort of the maintenance personnel. 4) Clear requirements and standards for the alarm of the physical protection system of each power station are put forward to avoid differences. Designing the alarm logic diagram and alarm list not only can realize the alarm management, but also have a certain degree of openness to make customized modifications according to the user’s needs. Some of the related achievements have been applied to Nuclear Power Station, and can be extended to the third-generation advanced pressurized water reactor units such as AP1000 and EPR. It has laid a solid foundation for the comprehensive realization of the “Human Factors Engineering” concept of the physical protection system.

5 Conclusions Starting from Human Factors Engineering and combining with the actual situation of each project, this paper optimizes the design of Human Factors Engineering in Physical Protection System from four sub-directions, and preliminarily realizes the design of Physical Protection System in Human Factors Engineering through building a system model, clarifying standards and requirements, and designing logic diagrams. With the in-depth study of the concept of Human Factors Engineering, I believe it will be more and more widely used in Physical Protection System.

References 1. National Nuclear Safety Administration: HAF-J0055-1995 Human Factors Engineering Principles for Nuclear Power Plant Control Room Design 2. Ministry of Housing and Urban-Rural Development of the People’s Republic of China. State General Administration of Quality Supervision. Inspection and Quarantine of the People’s Republic of China. GB50034-2013 Building Lighting Design Criteria. China Construction Industry Press, 29 November 2013 3. Ministry of Housing and Urban-Rural Development of the People’s Republic of China. State Administration of Market Supervision and Administration: GB50348-2018 Operating Technical Specifications for Safety Precautions. China Planning Press, Beijing (2018)

504

B.-Y. Wang et al.

4. State Technical Supervision Bureau: GB2887-89 Specification for computation center field 5. National Environmental Protection Headquarters: GB22337-2008 Emission standard for community noise 6. GB10000-1988 Body Size of Chinese Adults 7. National Nuclear Safety Administration: HAD501/03 Nuclear Facility Perimeter Intrusion Alarm System (2005) 8. National Energy Board: NB/T 20027-2010 nuclear power plants-main control room-alarm functions and presentation

The Design and Implementation of an LSTM-Based Steam Generator Level Prediction Model Jing-Ke She(B) , Jia-Ni Wang, Su-Yuan Yang, and Shi-Yu Xue College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, Hunan, China [email protected]

Abstract. The Long-Short Term Memory (LSTM) model is applied to the Steam Generator (SG) water level prediction in this work. The model is designed and implemented within the SIMULINK environment, where a real-time validation platform is also constructed using traditional PID controller. The SG water level feedback signal is fed to both the LSTM model and the PID controller, allowing the prediction to be generated online and compared to the actual controlled value. The results have demonstrated the functionality and advantages of the LSTM model, such as the high accuracy with prediction error of −1.1887 × 10–4 , low loss value with MSE of 1.4130 × 10–8 , and quick convergence during the simulation. Discoveries found in this work could enable future exploration of developing deep-learning-based control strategy for nuclear power plants. Keywords: Steam generator · Level prediction · Deep learning · LSTM

1 Introduction As a clean energy source that has been widely utilized around the world, nuclear energy is becoming one of the preferred energy options in the industry 4.0 era. As the key component between the central nuclear island and the conventional island, steam generator (SG) plays a key role of transferring reactor heat to turbine power. At present, Proportion-Integral-Differential (PID) control is generally selected as the control method for SGs in nuclear power plants. However, PID is an effective control strategy for linear time-invariant system, which makes it deficient in a nonlinear system that has complex non-minimum phase, e.g. SG water level. Meanwhile, the integral saturation of PID is also a hidden problem that could cause inaccurate control outputs [1]. To improve the PID control performance, abundant work focused on tuning the PID parameters based on physical principles, such as the PID control method based on fuzzy RBF neural network [2], the control method based on CFNN [3], and the iterative adjustment method based on virtual references [4]. The cost of these parameter-tuning methods is high and the potential control deficiency remains in the system due to the time-variation and nonlinear characteristics. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 505–517, 2021. https://doi.org/10.1007/978-981-16-3456-7_49

506

J.-K. She et al.

Instead of tuning the parameters, this work focuses on generating a prediction of the SG level using the real-time feedback. The prediction provides a reference for the controller, making it possible to adjust the control via a data-driven implementation. Unlike traditional physical modeling and parameter tuning methods, the proposed deep learning method bypasses the construction or investigation of the complex system model. It allows the system to foresee the operation condition in the incoming time stream, which enables the controller to take necessary measures in advance. The prediction method proposed in this work is based on the Long-Short Term Memory (LSTM) model, which has been proved to be an effective solution for the prediction of nuclear power plant working condition [5]. As a deep learning model widely used for long-time series data prediction, LSTM creatively uses the concept of “gates” to store critical information and discard those not needed. Such principle offers LSTM the capability of carrying critical information through the entire predicted period, leading to desired prediction accuracy. The description of a classic LSTM neuron structure is provided below in Fig. 1.

Fig. 1. LSTM neuron structure

Compared with traditional control methods, the deep learning method has the following advantages: • • • • • •

With human learning ability and control strategy; Universality which means strong adaptability [6]; Strong recovery ability; Change the structure into nonlinear; Strong organization function; Support a mixed control process [7].

It has been noticed that the deep learning model can provide a smart control solution for traditional control problem. It can also effectively improve the safety of industrial production as well as production efficiency.

The Design and Implementation of an LSTM-Based Steam Generator

507

2 Implementation of the Prediction Function The LSTM-based prediction function is constructed using the Deep Learning Toolbox (DLTB) of MATLAB™. Datasets generated by industry-grade simulator are applied for both the training and testing process of the prediction function. 2.1 The MATLAB Implementation of the Prediction Unit The prediction unit is the core component, which contains the LSTM model to be tested. The LSTM model has the feedback structure characteristics inherited from Recurrent Neural Network (RNN), without the drawbacks of gradient vanishing and gradient explosion. LSTM model reduces the content of downward transmission by introducing the structure of forgetting gate [8]. Meanwhile, it enhances long-term learning by introducing cell states. The LSTM-based prediction unit in this work is designed as a neural network with a hidden layer and an output layer, and the number of nodes in each layer is 10 and 1, respectively. More details are provided below in Fig. 2.

Fig. 2. Prediction function details

Sigmoid function is chosen as the activation function for both the output gate and the forgetting gate. While in the input gate, the activation function is composed of both sigmoid function and tanh function. Dropout method is adopted during the model construction such that overfitting can be avoid in the model training process [9]. The prediction unit is then encapsulated into a packaged unit in Fig. 3 via the SIMULINK module generation function. The underlying building principles of this module can be easily accessed, which makes it flexible for assembling high-level intelligent control models.

Fig. 3. The encapsulated prediction unit

508

J.-K. She et al.

To highlight the performance of the LSTM-based prediction model, an RNN-based model is also prepared in the same way. Prediction from both models are generated during the experiments, which presents a performance comparison. 2.2 Training of the Prediction Unit. During the training process of the prediction unit, total 6,014 time-points data from the industrial simulator are applied. In order to prevent the over-fitting problem, diversity is introduced into the data preprocessing, including data normalization and Gaussian Noise (SNR = 80). Rolling-Update (RU) method is also applied with a consideration of data refining in a nonlinear process [10]. The preprocessed data are divided into three sets: the training set, the validation set, and the testing set. Each set contains 70%, 15% and 15% data from the entire dataset, respectively. The L-M backpropagation algorithm is adopted as the training algorithm, which consumes more memory but ensures faster training speed. Based on the variation of the loss value during the training process, the number of training iterations is determined by the DLTB adaptively. The mean square error (MSE) is selected as the loss function to judge the accuracy of the model, and the number of training process is 275. The variation of MSE in each dataset during training is shown in Fig. 4, and the final MSE value is presented in Table 1.

Fig. 4. MSE variation during training process Table 1. MSE of training results Datasets

MSE

Training set

8.93423 × 10–5

Validation set 9.35334 × 10–5 Testing set

7.88438 × 10–5

As Table 1 shows, the MSE results obtained during three processes are all acceptable. It certifies that the prediction unit is ready for a dynamic operation validation.

The Design and Implementation of an LSTM-Based Steam Generator

509

3 Implementation of the Validation Platform To validate the performance of the prediction unit, a platform must be established such that the prediction unit can monitor a dynamic process and generates its prediction. The prediction performance is validated by comparing the prediction to the actual process development. The validation platform consists of both the trained prediction unit and a traditional PID control unit. The controlled water level signal, captured by an observation unit, is utilized as the input to both units. Two independent loops are then established, providing a comparison between the actual PID control result and the proposed LSTM-based prediction. 3.1 Traditional Control Unit The traditional PID model is implemented to generate a reference value for the LSTM prediction. The single-pulse control model using a PID controller is built within the SIMULINK environment. The major units are the calculation unit, the execution unit, and the feedback unit. Outputs from both PID and LSTM are fed into an additional observation unit, where a comparison is plotted on its display. In Fig. 5, a block diagram is provided to describe the implemented traditional PID model [11]. The specific components of each unit and their introductions are described in detail in the following sections.

Fig. 5. Traditional control unit

Calculation Unit The calculation Module has two parts: error calculation and control signal generation. The error calculation (label 1-comparison in Fig. 5) is implemented using sum function (shown in Fig. 6). It calculates the difference between actual water level and the preset desired water level. The control signal calculation (label 2-adjuster in Fig. 5) is the PID controller (shown in Fig. 7). It provides control signal according to the error between setpoint and feedback. The proportional parameter is set to 35, the integral parameter is set to 0.01, and the differential parameter is set to 25.

510

J.-K. She et al.

Fig. 6. Error calculation

Fig. 7. PID controller

Execution Unit The execution module contains two parts: execution and physical process. The execution part (label 3-control valve in Fig. 5) uses the Gain function as shown in Fig. 8. It is responsible for transforming control signal to the feed water valve. Its tuning parameter is set to 15.

Fig. 8. Control valve

The Physical Process (label 4-distrbance & label 5-boiler in Fig. 5) is simulated collaboratively by several components: 1. the feed water disturbance function which adds external disturbance via a pulse signal (Fig. 9); 2. the delay function which simulates non-instantaneous process of tuning time (Fig. 10), and 3. the transfer function (Fig. 11) which transforms the water valve opening signal into the SG water level as formula 1 describes [12].

Feedback Unit The feedback unit (label 6-measuring transmitter in Fig. 5) is used to transfer the measured water level data back to the calculation unit. Its main component is the differential pressure transmitter (Fig. 12), and the gain is set to 1 due to the single impulse control adopted.

The Design and Implementation of an LSTM-Based Steam Generator

511

Fig. 9. Feed water disturbance

Fig. 10. Delay function

Fig. 11. Transfer function

Fig. 12. Differential pressure transmitter

3.2 Observation Unit The observation unit consists of data observation, signal display, and the comparison. The data observation is realized using the “To Workspace” component and integrated into the Data Collecting Subsystem (Fig. 13). It is used to capture the output data from both the traditional control unit and the prediction unit.

Fig. 13. Data collecting subsystem

The signal display module is indeed the scope component that has been encapsulated into the Oscilloscope Subsystem (Fig. 14). It is used to observe the tendency of each signal. The difference between the PID control output and the prediction output is captured by the comparison unit, providing a result to validate the prediction accuracy. It gathers both outputs in a sum function and plots the comparison on the scope component. Its main structure is illustrated below in Fig. 15.

512

J.-K. She et al.

Fig. 14. Oscilloscope subsystem

Fig. 15. Comparison unit

3.3 Integration of the Validation Platform The validation platform is integrated using the traditional control unit, the trained LSTMbased prediction unit, and the observation unit. Its architecture, along with the interaction among these units, is introduced in the following Fig. 16.

Fig. 16. The validation platform architecture

The validation platform assembly, which integrates all the units and modules introduced in Fig. 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, is illustrated in Fig. 17. Such integration is implemented within the SIMULINK environment and prepares a necessary platform to validate the prediction model.

The Design and Implementation of an LSTM-Based Steam Generator

513

Fig. 17. The validation platform assembly

4 Experiments and Results Analysis 4.1 Experiment Setup The simulation process is carried out in the above platform within the SIMULINK environment, with the following experiment setup measures: 1. Adjusting the PID control parameters if the controlled water level value does not converge; 2. Tuning the parameters of the execution module or the differential pressure transmitter if the controlled water level value does not converge to the predefined steady state; 3. Changing the range of the turbulence value if the feed water disturbance module is not functioning; 4. Checking and correcting (if necessary) the data normalization and de-normalization, as well as the format and dimensions of the input data if the prediction unit cannot generate proper results; 5. Adjusting the neural network structure of the prediction unit and checking whether there is an overfitting problem if the standard deviation or MSE is unreasonable. The experiments start with an initial water level turbulence signal going to the PID controller, which stimulates an SG water level adjustment process via the physical process module. Such water level variation is captured by the observation unit and then given to the feedback unit as the next inputs to both the PID controller and the prediction unit. The comparison between the controlled water level values and the predicted ones yields the validation results, showing how accurate the predictions are.

514

J.-K. She et al.

4.2 Experiment Results and Analysis Figure 18 records a periodical simulation process generated by feeding the turbulence signal repeatedly to the control unit, offering consecutive simulation samples for analysis. The captured simulation data starts from 0 because there is no output yet from the PID control unit at 0 s. Results from both RNN and LSTM are plotted together with the controlled value. It is observed that prediction from both LSTM and RNN closely follow the controlled water level, which demonstrates their functionality of SG water level prediction. Unlike the off-line prediction model test performed in [5], such prediction is carried out in a real-time manner, i.e. it is an online prediction based on the control feedback that continuously updates. The feasibility of deploying LSTM model to an engineering application is verified through such simulation method.

Fig. 18. Overview of the simulation results

In Fig. 19, more details are provided by zooming in on a chosen fragment of the simulation curve. Figure 19(a) shows a 10-s simulation fragment from the 60th second to the 70th second, while Fig. 19(b) shows a one-second interval around the 62nd second. The difference of the prediction accuracy is then clearly presented. With the results shown in Fig. 19, LSTM proves itself a more accurate SG water level prediction model. The prediction error, which is the difference between the predicted water level and the controlled water level, is shown in Fig. 20. It is clearly demonstrated that the LSTM model has a more accurate and more stable prediction than that of RNN. It can be seen that the RNN model has error variation once new turbulence signal is introduced. The LSTM model, on the contrary, has a stable prediction error that closely approaches to 0. Such result validates LSTM model to be a proper prediction model for a time-variant and non-linear process, e.g. the SG water level control.

The Design and Implementation of an LSTM-Based Steam Generator

(a) Zoomed Simulation Fragment

515

(b)Comparison at the 62nd Second

Fig. 19. Simulation details

Fig. 20. Prediction error—overview and details

The comparison between prediction errors and loss values are presented in Table 2 and 3, respectively. As for the prediction errors shown in Table 2, the LSTM model keeps it as low as the order of 10–4 except at the first 10 s of the simulation process. While the prediction errors from the RNN model is clearly higher. Considering the RNN model has error drift during the turbulence, the LSTM model has better potential to be applied in SG water level prediction process. Based on Table 3, the MSE of LSTM remains stable and converges fast. Such performance is very important for safety-critical process in nuclear power plants, including the control of the SG water level. The RNN model can provide MSE of similar magnitude order when the steady state is reached. However, its slower converging performance does not fully satisfy the requirement of predicting a time-variant and nonlinear process, not to mention that it faces the gradient explosion and vanishing problems.

516

J.-K. She et al. Table 2. Prediction error at sampling points Time LSTM

RNN

10 s

1.4358 × 10–2

3.6958 × 10–1

20 s

2.3747 ×

10–4

6.9538 × 10–3

40 s −3.1170 ×

10–4

−4.7142 × 10–4

2.7606 ×

10–4

1.8877 × 10–4

80 s

160 s −1.1887 × 10–4 −2.0118 × 10–4

Table 3. Prediction loss value (MSE) at sampling points Time LSTM

RNN

10 s 1.4021 × 10–4 1.3473 × 10–1 20 s 5.6391 × 10–8 4.8355 × 10–5 40 s 9.7160 × 10–8 2.2224 × 10–7 80 s 7.6210 × 10–8 3.6533 × 10–8 160 s 1.4130 × 10–8 4.0474 × 10–8

5 Conclusion An LSTM-based SG water level prediction model is designed, implemented, and validated in this work. Specific measures such as RU and Dropout are conducted for a more reliable model applied to the chosen time-variant and nonlinear process. A validation platform composed of the LSTM model and a PID controller is constructed to provide a real-time evaluation. During the validation process, an RNN model is also tested using the same feedback. According to the simulation results, the LSTM model demonstrates its prediction functionality and a better performance comparing to the RNN model. Its prediction error reaches as low as −1.1887 × 10–4 in a stabilized manner, while its prediction accuracy satisfies the safety-critical system requirement with an MSE of 1.4130 × 10–8 . Moreover, it is observed that the LSTM model converges faster than RNN during the online prediction process, which confirms it a more suitable method for real-time SG water level prediction purpose. With the proved prediction performance, the LSTM model has obtained a potential of assisting traditional PID model. Future research could be conducted on how to integrate the precise LSTM prediction with the control mechanism of the PID model, such that the PID can react to the operation variation in a smart and timely way. Acknowledgement. The authors would like to thank the financial and technical support kindly provided from the following research projects and institutions, including but not limited to, 1. Research on the Fast Response and Intelligent Control of Nuclear Power Plants based on Predictive Control—Natural Science Foundation of Hunan Province (2018JJ2057); 2. Provincial Project on Talents Gathering—Innovation Talents Plan (2018RS3050);

The Design and Implementation of an LSTM-Based Steam Generator

517

3. the Industrial Internet Innovation and Development Project of China: Digital twin system for automobile welding and casting production lines and its application demonstration, TC19084DY, 2019; 4. the Central Research Institution of the State Power Investment Co. Ltd. (SPIC); 5. China Guangdong Nuclear Research Institution Co. Ltd.; 6. Hunan Xiangjiang Artificial Intelligence Academy.

References 1. Chen, L.: The optimization of PID control strategy in VAV system based on bacterial foraging algorithm. In: 19th International Conference on Network-Based Information Systems (NBiS), pp. 303–306 (2016) 2. Pan, Y.C., Lin, H.Z., Chen, X.L., Lv, X.Y.: PID control method based on fuzzy-RBF neural network and its application. Mach. Build. Autom. 48(3), 215–219 (2019) 3. Su, Y.B., Xia, H., Shen, J.: CFNN based water level control for nuclear steam generator. Chinese J. Nucl. Sci. Eng. 28(2), 158–162 (2008) 4. Kinoshita, K., Wakitani, S., Ohno, S.: Design of neural network PID controller based on E-FRIT. Electr. Eng. Jpn. 205(2), 33–42 (2018) 5. She, J.-K., Xue, S.-Y., Sun, P.-W., Cao, H.-S.: The application of LSTM model to the prediction of abnormal condition in nuclear power plants. In: Xu, Y., Sun, Y., Liu, Y., Wang, Y., Gu, P., Liu, Z. (eds.) SICPNPP 2019. LNEE, vol. 595, pp. 463–476. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-1876-8_46 6. Liu, T., Huang, Z.Y.: The overview of the intelligent control system. Inf. Commun. 8, 101–102 (2014) 7. Hua, S., Song, X.Q., Yang, X.N.: The overview of intelligent control. Digit. Commun. World 3, 144–161 (2019) 8. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997) 9. Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors. arXiv preprint arXiv:1207. 0580 (2012) 10. Wang, S., Wang, X., Wang, S., Wang, D.: Bi-directional long short-term memory method based on attention mechanism and rolling update for short-term load forecasting. Int. J. Electr. Power Energy Syst. 109, 470–479 (2019) 11. Hu, S.S.: Foundation of Automatic Control, 7th edn. Science Press, Beijing (2007) 12. Guo, H.H.: Dynamic simulation of the steam generator operation process. Master dissertation, Harbin Engineering University, Harbin (2007)

Research on Defense-In-Depth Standards for Information Security in NPP I&C System Zhi-Wu Guo(B) , Lu Zhu, and Liang Zhou State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. The wide application of information and network technology in the field of nuclear power not only brings positive influence to the development of nuclear power, but also brings new threats and challenges to Nuclear Safety. In order to reduce the potential risks brought by network attacks to nuclear power units and guide Nuclear Power Plant to carry out information security design, this paper studies the defense-in-depth requirements related to Instrumentation and Control system information security standards. This paper firstly compares domestic and foreign laws and standards combined with the current situation of China’s Nuclear Power Plant information security laws and standards, and then the paper analyzes the relevant contents of different laws and standards involving defense in depth. Finally the paper provides reference for the construction of China’s nuclear power information security system. Keywords: Nuclear power plant · Information security · I&C system · Defense in depth

1 Introduction The wide application of information and network technology in the field of nuclear power not only brings positive influence to the development of nuclear power, but also brings new threats and challenges to Nuclear Safety. The “Stuxnet” virus attack at Bushehr Nuclear Power Station in Iran and the “Black Energy” attack in Ukraine both highlight the importance and urgency of information security protection in the Instrumentation and Control system. Taking nuclear power plant Instrumentation and Control system as the object, this paper introduces the laws and standards of information Safety Related in nuclear power field at home and abroad, compares and analyzes the principles and requirements of these standards for Instrumentation and Control system defense-in-depth, and studies the information security defense-in-depth system of Instrumentation and Control system suitable for the current situation of nuclear power in China.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 518–526, 2021. https://doi.org/10.1007/978-981-16-3456-7_50

Research on Defense-In-Depth Standards for Information Security

519

2 Introduction to Information Security Standards and Standards in Foreign Nuclear Power 2.1 American Standards System The U.S. Nuclear power regulation and standard system is divided into five levels, as shown in Fig. 1. The first layer is the Atomic Energy Law, which is the basic law of nuclear energy in the United States. The second layer is federal regulations. Part 10 of Code of Federal Regulation is “Energy”, which stipulates the principles and guidelines for the peaceful use of atomic energy. The third layer is the management guidelines. The US Nuclear Regulatory Commission (NRC) has formulated a set of Regulation Guidelines (RG), which provide guidance and feasible solutions that meet the requirements of laws and regulations. The fourth layer is the technical documents prepared by the Reactor Administration under the US Nuclear Regulatory Commission. The fifth layer is the U.S. Nuclear power standards and specifications, which are technical documents for the specific implementation of regulations and guidelines.

Fig. 1. U.S nuclear power regulations and standards system.

In the area of information security in the Nuclear Power Plant Instrumentation and Control system, the requirements of information security regulations come from 10 CFR 73.54 “Protection of Digital Computers [1], Communication Systems and Networks”.

520

Z.-W. Guo et al.

The guidelines include RG 5.71 “Information Security Procedures for Nuclear Facilities” [2], RG 1.152 “Nuclear Power Plant Security System Computer Use Standards” [3], etc. The standards and technical regulations of information Safety Related include NIST SP 800 series (documents describing the computer security policies [4, 5], procedures and guidelines of the U.S. Federal government), etc. 2.2 Other International Standards IEC 62443 “Safety Network and System Safety for Measurement and Control of Industrial Processes” series standards are divided into four parts [6]: general, information safety procedures, system technology and component technology, with a total of 12 documents. Each document describes different aspects of information safety in industrial control systems and puts forward relevant requirements for information safety for asset owners, system integrators and component suppliers. IEC 62645 “Computerized System-based Security Outline Requirements in the Nuclear Power Plant Instrumentation and Control system” sets requirements and provides guidance for the development and management of an effective security outline in Nuclear Power Plant Instrumentation and Control [7], Computerized System. This standard is applicable to the computer security of Instrumentation and Control systems (including Non Classified Systems) used in Nuclear Power Plant. The standard defines three security levels associated with hierarchical security requirements, namely S1, S2 and S3, and specifies the network boundaries and security control means of different security levels. NSS17 “Computer Security of Nuclear Facilities” issued by IAEA emphasizes that computer security should be a basic part of the overall security plan of nuclear facilities and provides guidelines for implementing computer security plans for nuclear facilities [8].

3 Current Situation of Information Security Regulations and Standards in Chinese NPP I&C System 3.1 Chinese Nuclear Power Regulations and Standards System Chinese Nuclear Safety Codes (China) system is generally pyramid-shaped, divided into five levels: National Laws, regulations of the State Council, Departmental Rules, Guiding Documents and Reference Documents, as shown in Fig. 2. At present, there is only one national law in the field of Nuclear Safety in our countrythe Law of the People’s Republic of China on the Prevention and Control of Radioactive Pollution. The regulations of the State Council are the refinement of national laws in the field of Nuclear Safety rights and stipulate specific legal requirements in the field of Nuclear Safety rights, mainly including “Regulations of the People’s Republic of China on Safety Supervision and Administration of Civil Nuclear Facilities” HAF001, etc. In the field of Nuclear Safety, departmental rules include the Detailed Rules for the Implementation of the Regulations of the State Council and the Administrative Provisions on Nuclear Safety’s Technical Requirements.

Research on Defense-In-Depth Standards for Information Security

521

Fig. 2. Chinese nuclear safety regulations system.

The guiding document, the Nuclear Safety Guidelines, is instructive and recommended. It describes the methods and procedures adopted to implement Nuclear Safety’s departmental regulations. Related to Nuclear Power Plant’s Instrumentation and Control system are “Nuclear Power Plant’s Safety Important Instrumentation and Control system” HAD102/14, “Software for Computer-based Security Important Systems in Nuclear Power Plants” HAD102/16, etc. Reference documents mainly refer to the adopted national standards, industry standards, international standards and other Nuclear Safety related technical documents. 3.2 Information Security Regulations and Standards in Nuclear Power Field At present, China has no legal requirements on Nuclear Power Plant information security. Nuclear Safety’s guidelines include the requirements of HAD 102/16 “Software for Computer-based Security Important Systems in Nuclear Power Plants” and other documents, and relevant information security regulations are also contained in NDRC Decree No.14 “Safety Protection Regulations for Power Monitoring Systems”. HAD102-16 starts with various aspects of nuclear power plant Computerized System (such as technical considerations [9], safety management requirements and project

522

Z.-W. Guo et al.

plans, etc.), The requirements and suggestions that should be met in each stage of system software design are listed in detail, including software requirements, design, implementation and verification, which involve all aspects of computer important software security and have important reference significance for the establishment of nuclear power plant information security protection system. The core of Decree No.14 of the National Development and Reform Commission is the overall security protection strategy of the power monitoring system of “security zoning [10], network-specific, horizontal isolation and vertical authentication”. Obviously, Chinese Nuclear Safety Codes (China) system is relatively perfect and structured, but there is no targeted standard for the information security of Nuclear Power Plant’s Instrumentation and Control system.

4 Defense-in-depth System in Nuclear Power Plant’s Information Security Regulations and Standards Defense in depth is an important means to prevent and mitigate the consequences of accidents. Under the principle of defense in depth, the failure of a single defense means should not lead to the loss of power station safety function. 4.1 Regulatory Guide 5.71 Regulatory Guide 5.71 requires licensing applicants to formulate an information security outline to apply and maintain an overall defense-in-depth strategy to ensure that they can detect, prevent, respond to, mitigate and recover from cyber-attacks. Defense in depth can be realized in many ways. From the perspective of security architecture, it involves the establishment of multiple protective boundaries to protect critical digital assets (CDAs) and networks from cyber-attacks. Under this architecture, a network attack can only be upgraded and affect key systems or networks after multiple protection mechanisms fail. Therefore, the realization of defense in depth should not only establish multiple protection boundaries, but also formulate and maintain robust defense control procedures. For example, if the prevention fails due to violation of the defense policy or the protection mechanism is bypassed by a new virus that has not been recognized as a network attack, the protection mechanism should still function to detect and deal with unauthorized modifications in the affected CDA, mitigate the impact of the modifications, and resume the normal operation of the affected CDA before causing adverse effects. In RG 5.71, a desirable defense-in-depth strategy is introduced: according to different information security defense levels, communication boundaries are established and defense measures are deployed on the boundaries to discover, prevent, delay, mitigate and recover from network attacks. This concentric circle type of hierarchical defense (see Fig. 3) is conceptually similar to the existing physical protection areas of nuclear facilities (such as key areas, protection zone, owner-controlled areas, factory areas and public areas).

Research on Defense-In-Depth Standards for Information Security

523

Fig. 3. Simplified information security defense architecture

A acceptable defense structure should include at least the following points: – The CDA for safety, safety-critical functions shall be configured at Level 4 and shall be protected from other lower-level CDAs; – Level 4 to Level 3, Level 3 to Level 2 allow only one-way flow of data; – Prohibit low-grade digital assets from initiating communications with high-grade digital assets; – Data can only flow from one level to other levels through devices that have implemented defense strategies between each level; – The ability to detect, prevent, delay, mitigate and recover from cyber-attacks should be maintained; – Safety controls shall be configured to secure the CDA, including technical, operational and administrative measures, but not if a measure will adversely affect SSEP function or unit performance (e.g. Unacceptable system response time or increased system complexity); – Applications, services and protocols that are not necessary to support the included CDA’s design benchmark functions should be eliminated Although communication within the same level is allowed, digital isolation is still the safest way to protect CDA from network attacks. Therefore, CDA should be digitally isolated wherever feasible.

524

Z.-W. Guo et al.

4.2 IEC 62645 Standard IEC 62645 requires that all Instrumentation and Control systems be assigned a level of information security defense (hereinafter referred to as “security level” to distinguish them from the security level in IEC 61226) [11]. The security level of the Instrumentation and Control system should be determined according to the worst consequences of a successful network attack on a system on the security and performance of the power station (the performance of the power station is understood from the perspective of power generation here). The determination of the security level of the Instrumentation and Control system should be based on the following principles: – The consequences of cyber-attacks related to Safety Related should be assumed to be more serious than those related to power station performance; – The system shall be considered from a functional point of view and assigned the specified security level according to the direct or indirect impact that the system may have on the safety and performance of the power station. Assign the security level of the system according to the most sensitive functions performed by the system (i.e. the most serious impact will be caused when maliciously manipulated or damaged); – This consequence-based allocation method should be strict and repeatable to ensure reproducibility and consistency of the security state. The analysis should include the possibility of similar attacks on other Instrumentation and Control systems. The standard defines three security levels S1, S2 and S3. First of all, functions and systems should be analyzed to determine the worst consequences of malicious acts or events involving malicious acts on the safety and performance of the power station, and the analysis results should be recorded. According to these worst consequences, the system is assigned security levels S1 (strictest) to S3 according to the following principles: – Instrumentation and Control system assigned security phase S1 to handle category A Safety Function; – The Instrumentation and Control system assigned security phase S2 or higher for real-time operational requirements and processing of category B Safety Function; – Security level S3 is assigned according to the worst-case Instrumentation and Control system C and the Instrumentation and Control system assisting in the operation and maintenance of the power station. It is worth noting that the safety classification method described in IEC 62645 aims to protect the safety and performance of power stations and resist network threats based on consequence-based analysis. The system security level defined in IEC 61226 is an important input to determine the information security level, but there is no strict one-toone correspondence between the security level and the security level. For example, the Instrumentation and Control system required for real-time operation is recommended to assign security level S2 without mentioning its security level; In addition, Non Classified Systems may also be assigned a strict security level. In addition to safety, the impact on

Research on Defense-In-Depth Standards for Information Security

525

the performance of the power station is also considered in the classification of security levels. Standard IEC 62645 sets out technical requirements for the Instrumentation and Control system corresponding to its security level. There are not only some common requirements applicable to all Instrumentation and Control systems but not their security levels, but also additional requirements applicable to S1, S2 and S3 different levels of systems. In addition, the standard also specifies security requirements for Instrumentation and Control system maintenance and diagnostic tools. For example, when these tools are directly linked (temporary or permanent) to the Instrumentation and Control system, they should be assigned the same security level as their associated Instrumentation and Control system. The use of tools (who/what/when) should be recorded and strong access controls should be implemented.

5 Graded Protection Standards for Domestic Computer Information Systems China has set up a set of grade protection standard in that field of computer information system, This series takes GB 17859-1999 “Classified criteria for security protection of computer information system” as the core [12], and includes GB 22239-2008 “Information security technology-Baseline for classified protection of information system security”, GB 20269-2006 “Information security technology - Information system security management requirements” and other related supporting standards, forming a complete system. The hierarchical protection of information systems is graded according to the degree of infringement on the objects (the legitimate rights and interests of citizens, legal persons and other organizations, social order, public interests and national security) after the protected objects are damaged. The information systems as graded objects should be tangible entities and carry single or relatively independent business applications [13]. However, the large-scale distributed Instrumentation and Control system widely used in Nuclear Power Plant has strong network interconnection capability, and there is more data communication between the security level and the Non Classified Systems. It cannot meet the needs of information security protection in Nuclear Power Plant Instrumentation and Control system only by relying on the requirements of level protection.

6 Summary To sum up, RG 5.71 and IEC 62645, as Nuclear Power Plant’s information security standards under the framework of NRC and IEC respectively, have different emphases in defense-in-depth: the former determines whether digital assets are key digital assets according to the functions performed by digital assets, and then deploys security control measures to protect CDA according to the principle of defense-in-depth; The latter divides the system into different security levels according to the worst consequences after the system is attacked by the network, and puts forward corresponding security and technical requirements for the systems of different levels.

526

Z.-W. Guo et al.

At present, there is no relevant standard in the field of Nuclear Power Plant information security in China, and the security level protection standard for computer information systems is not fully applicable to Nuclear Power Plant’s Instrumentation and Control system. In order to reduce the potential risks brought by network attacks to nuclear power units and guide Nuclear Power Plant to carry out information security design, As Soon as Possible needs to improve relevant standards and establish a set of information security defense-in-depth system suitable for the field of nuclear power Instrumentation and Control.

References 1. CFR 73.54: Protection of digital computer and communication systems and networks 2. U.S. Nuclear Regulatory Commission Regulatory Guide 5.71: Cyber Security Programs for Nuclear Facilities 3. U.S. Nuclear Regulatory Commission Regulatory Guide 1.152: Criteria for Use of Computers in Safety Systems of Nuclear Power Plant 4. NIST SP 800–82: Guide to Industrial Control Systems (ICS) Security 5. NIST SP 800–53: Recommended Security Controls for Federal Information Systems 6. IEC 62443: Security for Industrial Process Measurement and Control: Network and System Security 7. IEC 62645: Nuclear power plants - Instrumentation and Control systems – Requirements for security programmes for computer-based systems 8. IAEA nuclear security series NO.17: Computer Security at Nuclear Facilities 9. HAD 102/16: Software for Computer-based Security Important Systems in Nuclear Power Plants 10. Decree No.14 of the National Development and Reform Commission: Provisions on Safety Protection of Electric Power Monitoring System 11. IEC 61226: Nuclear power plants - Instrumentation and Control systems important to safety – Classification of instrumentation and control functions 12. GB/T 17859: Classified criteria for security protection of computer information system 13. GB/T 22240: Information security technology- Classification guide for classified protection of information system security

The Analysis for Method of I&C Equipment Period Demonstrating in NPP Refueling Cycle Extension Project Zhi-Wu Guo(B) and Long-Qiang Zhang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. Before the implementation of the extended fuel cycle improvement in nuclear power plants, it is necessary to conduct an adaptive analysis of the relevant systems and equipment cycles. The purpose is to show that the improved cycle still meets the requirements for safe operation of nuclear power plants. This paper firstly introduce some problems: How to demonstrate the equipment cycle affected by the refueling cycle, and what methods can be used to analysis many type of I&C equipment’s cycle which are manufactured by suppliers in nuclear power plant 18-month refueling. Based on the engineering experience of extending the refuelling cycle of domestic and international nuclear power plants, this paper briefly introduces several periodic demonstration methods and explains their characteristics at the same time, which provides guideline and practices for the nuclear power plants that implement the fuel cycle extension plan. Keywords: Nuclear power plant · Refueling cycle · Period · Technical analysis centered maintenance · Reliability · Failure mode

1 Introduction Since the birth of the PWR nuclear power plant in 1978, the 18-month refueling cycle has had more than 30 years of practical experience. At present, there are 75 in the United States and nearly 30 reactors in France for 18 months. Extending the fuel cycle is one of the mature technologies to improve the performance of nuclear power plants in the world. The Daya Bay Nuclear Power Plant in Guangdong Province, China has implemented 18-month of refueling. The Lingao Phase II nuclear power plant project will adopt an 18month refueling fuel cycle model. Other nuclear power plants such as Qinshan Nuclear Power Plant Phase II, Jiangsu Lianyungang Tianwan Nuclear Power Plant have started 18-month of refueling improvement. The so-called 18-month refueling means that the nuclear power plant has a cycle length of about 540 calendar days (including about 500 days of full-power operation day and about 35 days of overhaul day), that is, a cycle time of about 18 months is completed [1]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 527–535, 2021. https://doi.org/10.1007/978-981-16-3456-7_51

528

Z.-W. Guo and L.-Q. Zhang

The 18-month refueling optimization improvement has the following advantages: 1) It can reduce the cost of nuclear fuel cycle, thereby reducing the cost of power generation and improving the economic efficiency of the power plant; 2) It can reduce the number of overhauls in the life of the power station by one-third and increase the availability of the unit; 3) It is beneficial to extend the life of the power station, especially to extend the life of the pressure vessel and increase the revenue of the power station; 4) It can reduce the annual average production and discharge of radioactive waste and reduce the occupational radiation dose received by the staff. The 18-month refueling improvement design involves fuel design, nuclear design, thermal hydraulic design, accident analysis, system demonstration, and periodic demonstration; among them, periodic demonstrations and periodic testing of system equipment operating in power plants from 12-month to 18-month related to maintenance [2]. Obviously, it is necessary to demonstrate the cycle of system equipment involved in extending the fuel cycle. The reliability, maintainability and performance of the system equipment should be adapted to the requirements of safe and stable operation of the unit, maintenance plan optimization and power plant economy under the new fuel cycle before the fuel cycle is extended by the nuclear power plant. But there are problems, how to demonstrate the different I&C system equipment’s cycle of periodic test, and what methods can be used to analysis many type of I&C equipment’s cycle which are manufactured by suppliers. This paper firstly introduces the requirements for the frequency of supervision including reliability objective etc. Then the paper briefly analyzes the periodic demonstration methods and characteristics of instrument control equipment in the long fuel cycle of several nuclear power plants, which are based on the current domestic experience and international experience of nuclear power plant 18-month refuelling cycle extension. Lastly, the summary is given for the methods which are applied in several nuclear power projects.

2 Regulatory Standards Requirements 2.1 Regulation Standards for the Frequency of Supervision According to the provisions of the Supervision of Nuclear Power Plant Safety Important Items HAD 103/09 [3], when determining the frequency of supervision of important items of safety, the following items need to be considered: (1) The safety importance of the item and the need to meet the reliability objectives; (2) The manufacturer’s recommendations and the results of the type test, durability test and cyclic load test results; (3) Expected failure mechanism, results of feasibility analysis, years of use of items and systems, component types and conditions of use; (4) Experience in obtaining failure rates from maintenance and from the experience of this nuclear power plant and other similar nuclear power plants; (5) The degree of automation of supervision.

NPP Refueling Cycle Extension Project

529

2.2 Requirements for Periodic Test Intervals for Regulatory Standards According to the provisions of Section 6.5 [Test Interval] in the Periodical Test and Test of Nuclear Power Plant Safety System GB/T 5204-2008, the following factors need to be considered [4]: (1) Technical specifications or recommendations of the manufacturer; (2) Historical experience of similar equipment use, such as failure rate data (including data obtained from the reliability database), pre-operational tests, quality data, and industrial use experience and operating experience of the power plant; (3) Equipment quality appraisal report and analysis; (4) Fault data: important fault mode, fault mechanism, probability distribution of faults and maintenance, these distributed determination of test interval time are mainly considered problems, they are characterized by parameters. For example: Mean Time Between Failure (MTTF), Mean Time To Repair (MTTR), probability of failure and variability, historical data and engineering judgment. It is indicated in sub-clause 5.6.5 that “the test interval can be changed to suit the mode of operation of the plant, but it is to be demonstrated that such changes have no detrimental effect on the expected performance of the equipment being tested,…”. With reference to the above-mentioned relevant laws and regulations, the basis for determining the frequency of periodic test supervision and the principle of determining the interval between tests, the relevant equipment cycle demonstration method needs to be carried out from the perspectives of power plant experience, equipment suppliers, and equipment technical characteristics.

3 Equipment Cycle Demonstration Method According to the practical experience of prolonging the fuel cycle at home and abroad, there are many demonstration methods for the equipment cycle of long fuel cycle projects. In view of the limited space of the article, this article mainly explains the three demonstration methods. 3.1 Power Plant Experience Feedback Method Power plant Experience Feedback mainly uses power plant projects that have successfully implemented the same type of long fuel cycle improvement and have many years of safe operation experience as Reference Power Station [5]. Comparing the system design and equipment technical performance index with Reference Power Station, if the technical performance index of the equipment to be demonstrated is basically the same as that of Reference Power Station, or the technical performance is advanced and better than that of Reference Power Station, then the period of this part of equipment can be extended to a long cycle. Since there is an inconsistency between the equipment Supply Contractor of Nuclear Power Plant and Reference Power Station to be demonstrated, equipment suppliers with the same functional location should be compared when comparing equipment.

530

Z.-W. Guo and L.-Q. Zhang

If the equipment suppliers are different, it is necessary to contact the suppliers to provide opinions on equipment reliability and test cycle. If the requirements for prolonging the fuel cycle can be met, the demonstration is passed. If the requirements cannot be met, design changes or engineering modifications need to be carried out. If the equipment suppliers are the same, continue to compare the functions, safety levels, quality levels, mechanical manufacturing levels, electrical manufacturing levels, operating environment conditions, etc. of the equipment; If there is no difference in comparison results or the power station equipment index to be demonstrated is better, Moreover, if the reliability of the corresponding equipment in Reference Power Station meets the requirements of initial demonstration in the actual operation process after longterm refueling, the cycle of Reference Power Station Item Concerned can be directly adopted, and the cycle of the equipment to be demonstrated can be adjusted to be consistent with that of Reference Power Station equipment. Otherwise, further supplementary analysis and demonstration are needed. The process is shown in Fig. 1.

Fig. 1. NPP experience feedback flow diagram

NPP Refueling Cycle Extension Project

531

3.2 Supplier Feedback Method For the performance of the device, the supplier’s recommendations and information can be used as a basis for the extension of the equipment cycle. There is a life cycle for each device from production to final loss. When evaluating product reliability, it is usually characterized by failure rate. After a lot of experimental research and statistical analysis, it is found that the relationship between the failure rate of general product equipment and time satisfies the bathtub curve [6], as shown in Fig. 2. During the life of the product, the equipment generally experiences early failure period, infrequent failure period and loss-loss period until decommissioning. (1) Early failure period: It is characterized by very high failure rate, but with the increase of product working time, the failure rate decreases rapidly. The failure of products at this stage is mostly caused by defects in design, raw materials and manufacturing process. If we strengthen the inspection of raw materials, strengthen quality management, improve technology and other measures, we can greatly reduce early failure. (2) Infrequent failure period: It is characterized by low failure rate and stable working period of the product; the failure causes are diversified and accidental, mainly caused by some defects that cannot be eliminated. At this time, the fault is in a completely unpredictable state, and the failure occurs randomly according to a certain ratio. (3) Damage failure period: The failure rate gradually increases with time, and the failure causes are mainly caused by wear, wear and aging. Faults generally occur in a certain period of time, so it is difficult to determine the time point of equipment renewal, which can only be obtained according to a large number of statistical experiences. In view of different products or the same products but different levels of design, manufacture, use and maintenance, the values, slopes and duration of each section of the corresponding bathtub curve are different. Therefore, for each kind of equipment, Supply Contractor usually carries out some typical product performance tests, such as anti-fatigue test, cyclic loading test, reliability measurement test, reliability verification test, etc. At the same time, according to the historical use data of this type of equipment, the durable working time and average trouble-free time MTBF of vulnerable parts are determined by statistical methods. According to the advice and information provided by the supplier, if the reliability of the equipment can be fully guaranteed within the cycle range of Nuclear Power Plant regulations, standards and relevant supervision requirements, the relevant cycle of this part of equipment can be extended to a long cycle. 3.3 TCM Analysis Method The TCM analysis method (Technical analysis Centered Maintenance) not only solves the problem of “why equipment is repaired, when it is repaired”, but also solves the problem of “how to repair equipment”. It is a combination of device functional analysis and technical analysis; functional analysis and technical analysis are two important and

532

Z.-W. Guo and L.-Q. Zhang

λ(t) Repair Update

Early failure period

Damage failure period

Infrequent failure period

t Delivery point

Update Point Fig. 2. Bathtub curve

different ways of analysis; functional analysis is the function of the device in the system, and the direction of technical analysis is the device type. The TCM analysis method adopts the equipment hierarchical management method. In the analysis process, the equipment and the system are classified into key sensitive equipment related to nuclear safety, key sensitive equipment related to availability, important equipment related to maintenance cost, and non-essential equipment according to the result of functional analysis. Different maintenance combinations and decisions are taken based on the results of the equipment classification [7]. Functional analysis of the equipment can determine the need for maintenance activities; Focusing on the technical characteristics of the equipment, the working principle analysis, reliability analysis, failure mode analysis and aging detection analysis of the equipment are carried out to determine the correct maintenance method, maintenance frequency, technical guidelines and cycles of relevant maintenance activities. The TCM analysis equipment also considers the requirements of equipment aging and life management. The related results can guide the preventive maintenance and trend analysis of the equipment, thus providing technical support for equipment condition monitoring and fault prediction strategy formulation. The TCM analysis process is shown in Fig. 3. The technical analysis process is shown in the dotted line frame of the left branch in Fig. 3, which is briefly described as follows [8]: (1) Working principle analysis: A description of the physical principle analysis of a certain type of equipment and how the equipment operates. This analysis provides information for failure mode analysis and understanding of equipment aging. (2) Failure mode analysis: Based on the understanding of the working principle of the equipment, the sensitive components of the equipment are analyzed, and the maintenance activities and execution methods that may be needed for the degradation of the weak links of the sensitive components are obtained to effectively detect or delay the Downgrade process.

NPP Refueling Cycle Extension Project

533

(3) Reliability analysis: Based on a large number of power plant operation and maintenance experience as the basis for equipment reliability assessment, to determine the frequency of related maintenance activities. For example, the French EDF600 multiple piles of years of operational maintenance experience feedback data. (4) Aging detection analysis: for equipment that meets the aging mechanism and the aging phenomenon, the failure mode analysis has determined the components affected by fatigue; Tracking the level of surveillance fatigue by setting up appropriate predictive maintenance, or extracting predictive maintenance that effectively detects aging from identified preventive maintenance activities.

Fig. 3. TCM analysis process

Based on the results of functional analysis and technical analysis of the equipment, combined with the Experience Feedback in the actual operation process of the power station, the possibility of establishing the corresponding system equipment cycle of the power station under the long fuel cycle is explored. If the period of the analyzed equipment can be extended to a long period, an appropriate period can be extended.

534

Z.-W. Guo and L.-Q. Zhang

3.4 Characteristics of Equipment Cycle Demonstration Method For the above three demonstration methods, their characteristics are analyzed as follows: (1) The main feature of power plant Experience Feedback method is to compare the equipment attributes (such as function, manufacturer, model, etc.). Through comparison with the same or similar equipment in the reference nuclear power plant, it can be directly or indirectly obtained whether the equipment cycle can be prolonged. For equipment that cannot be determined whether the cycle can be prolonged through comparison, supplementary demonstration shall be carried out through other means. The advantage of this method is that it is simple to apply, but the disadvantage is that if there is no similar nuclear power plant as a reference, its applicability will be reduced. (2) The main feature of the supplier feedback method is to have a deep grasp of equipment performance (anti-fatigue, reliability, life, maintenance frequency, durability time, etc.). Starting from the equipment itself, professional information and guidance can be given, and whether to extend the equipment cycle to a long cycle can be decided by combining the manufacturer’s opinions with the requirements of regulations and standards. The advantage of this method is its strong universality. Theoretically speaking, all equipment cycle demonstrations can be completed by this method. The disadvantage is that there are many types and quantities of equipment to be demonstrated, which makes it difficult to collect supplier information. (3) The essence of TCM analysis method is to put forward classification requirements for equipment itself according to the importance of functions. Its main characteristics are comprehensive analysis of key equipment, key analysis of secondary key equipment and analysis of general equipment according to the situation. The method has clear objectives, high technical requirements and large foundation data requirements. It is a dynamic closed-loop process and can be continuously optimized in the execution process.

4 Summary This paper introduces several Instrument and Control system Equipment cycle demonstration methods according to the international and domestic practical experience of nuclear power plant long-term fuel cycle projects. And the characteristics of the abovementioned demonstration methods are analyzes. These methods are applied successfully in CPR1000 nuclear power plant of 18-month refuelling cycle extension project. Besides, these methods can also provide a technical support for the equipment aging management and maintenance strategy formulation of Nuclear Power Plant that has implemented long fuel cycles. The methods introduced in this paper have important guiding significance for improving the reliability of nuclear power plant Instrument and Control system equipment and periodic test.

NPP Refueling Cycle Extension Project

535

References 1. Special material for 18 months refuelling of X Nuclear Power Plant phase I Project, restricted material of CNPDC 2. Zhang, Z.-Y.: Design demonstration of 18 months refuelling for Daya Bay Nuclear Power Station. Nucl. Power Eng. 23(5), 1–4 (2002) 3. HAD103\09: Supervision of important items of nuclear power plant safety 4. GB\T 5204-2008: Nuclear power plant safety system periodic test and testing 5. Guidelines for periodic demonstration of periodic test for X nuclear power project, chapter 4.2. Internal engineering documents of CNPDC 6. Mowbray, J., Kang, J.-S., He, Y.-X.: Reliability-centered maintenance. Ordnance Engineering College Press, Shijiazhuang (2002) 7. Maintenance strategy and impact analysis for I&C equipment of 18 months refuelling. Internal Engineering Documents of CNPDC 8. Qu, M., Zhang, S., et al.: TCM analysis of instrument control equipment. Daya Bay Nuclear Power No. 2 (2008)

Spurious Actuation of I&C Systems Analysis Methodology in Nuclear Power Plant Zhen Yang1,2(B) , Hui Jiang1,2 , Ya-Jie Tian1,2 , Jia-Lin Ping1,2 , and Huan Huang1 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected] 2 I&C Department, China Nuclear Power Engineering Company Ltd., Shenzhen 518172, China

Abstract. In recent years, the potential spurious actuation posed by digital I&C systems has obtained considerable attentions in nuclear industry and the associated methodology development has become an important and urgent issue. A new identification method for spurious actuation of digital I&C systems is developed. It is a top-down process which begins with a basic identification of the potential spurious actuation event and then associated influence is evaluated if the spurious actuation could challenge plant safety. Subsequently, the identified spurious actuation of I&C functions are analyzed following the safety analysis. As an example, a special spurious actuation event is defined and analyzed. Keywords: Spurious actuation · I&C systems · Methodology

1 Introduction Application of digital instrumentation and control (I&C) technology has been more and more prevalent in the worldwide nuclear power plants (NPPs) considering multiple benefits, e.g. the ability to perform more complex functions, improved numerical precision and stability, higher availability due to on-line diagnostic, less risk of providing the available spare components compared with the ageing analog-based equipment, etc. and present the increasing usage of digital I&C technology in NPPs operating in Belgium, Canada, Finland, France, Germany and India among other countries [1, 2]. The digital I&C technology application introduces substantial advantages mentioned above, but it also bring the unique challenges. As mentioned in [3] and [4], the errors, deficiencies, or defects at any stage of digital I&C systems’ life cycle may result in systematic faults that may remain undetected until specific conditions activate the faulted state to result in a failure of a critical function. Because the digital technology is used in redundant channels with a system (or multiple systems), a potential common cause failure (CCF) could cause the misbehaviors in redundant channels with a system (or multiple systems) simultaneously and then leads to undesirable plant consequences. Hence, the whole nuclear industry accepted that the additional potential for CCF vulnerabilities posed by digital I&C systems is not negligible and requires special consideration. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 536–550, 2021. https://doi.org/10.1007/978-981-16-3456-7_52

Spurious Actuation of I&C Systems Analysis Methodology

537

As regard to the potential effects of CCF, a simple metric is described in Table 1 (quoted from [5]) and two scenarios are defined: (a) the digital I&C systems do not initiate when plant conditions require safety functions delivery, and (b) the digital I&C systems spuriously initiate when plant conditions do not require a safety functions delivery. Table 1. Potential effects of CCF Plant conditions require a trip or actuation

Plant conditions do not require a trip or actuation

Trip or Actuation Occurs

Proper System Operation

System Failure (Spurious Actuation)

Trip or Actuation does not occur

System Failure (Actuation does not occur or incomplete activation)

Proper System Operation

In recent decades, great care has been taken to research and analysis the measures for scenario a (safety system does not actuate the required safety functions due to the CCF). To cope with the consequence of scenario a, diverse actuation system (DAS) is developed and recognized worldwide as an effective way. The UK was deliberately cautious about the digital I&C technology adoption and a hardwired back-up to the digital I&C system was placed in service at the UK Sizewell B [6]. Such system design is required by radiation and nuclear safety authority (STUK) of Finland, and a diverse automatic hardwired backup system is configured in Olkiluoto-3. In the US, nuclear regulatory commission (NRC) has issued guidelines such as staff requirements memoranda on SECY-93-087 [7], Branch Technical Position (BTP) 7–19, NUREG/CR-6303 [8] and NUREG/CR-7007 [9] to provide defensive strategies (including the DAS system design) to address CCF. More DAS practices of international NPPs are summarized in [10]. Aside from the international nuclear regulations’ guidelines and associated good practices, the international standards are developed, which provide a general method for addressing CCF vulnerability in safety digital I&C systems. For example, international electrotechnical commission (IEC) standard IEC 61513 provides the high-level guidance of I&C system architecture design and individual I&C system design [11]; IEC 60880 specifies the requirements of software design and development for I&C systems performing category A functions [12]; IEC 62340 establishes a CCF coping strategy for digital I&C systems. Until now, existing practices and applications have been focus on these defensive measures coping with a CCF of scenario a. None of these backup systems was targeted to solve the problem of the digital I&C system spurious actuation (scenario b). Moreover, as for potential CCF effects of scenario b, there is insufficient research or elaborated nuclear industry guidance. Therefore, the development of spurious actuation analysis methodology to cope with the scenario b has become an important and urgent issue, which has obtained considerable attentions by many countries. In 2017, the common position on spurious actuation of digital I&C systems was achieved and presented in [13] by digital instrumentation and controls working group (DICWG). Although this

538

Z. Yang et al.

common position provides high-level evaluation guidance, including the measures to prevent, respond to spurious actuations to maintain plant safety, etc., the detailed and clear analysis approach was not presented. This paper establishes a newly functional group methodology to evaluate the spurious actuation influence of digital I&C systems.

2 Identification of Spurious Actuation The spurious actuation of digital I&C systems analysis methodology is a top-down process which begins with a basic identification of the spurious actuation event (including the events evaluation if the actuation could challenge plant safety). Subsequently, the identified spurious actuation of I&C functions are analyzed following the safety analysis. 2.1 Failure Scope and Types It is known that the failures are further subdivided into random failures and systematic failures. Hardware technology is subject to random failure due to manufacturing defects, ageing, wear or environmental effects and the associated failures are a result of degradation over time [14]. The digital technology does not fail randomly like the hardware. On the other hand, both of them are subject to systematic failure resulting from design errors or requirements deficiencies. Generally, the random failure dominates the overall failure rate of hardware and measures (e.g. redundancy, self-monitoring, etc.) could make the generally accepted assumption that for well designed and tested hardware, design faults are rare and can be neglected. However, these faults cannot be ignored for digital technology, which is more likely to exist in digital I&C systems because of the unique nature (a full verification of its correctness practically impossible), increased complexity and associated inability to execute exhaustive testing [15]. Thus, in this paper, a systematic failure is assumed to take effect in a deterministic way to initiate the functions spuriously. As the digital technology is perfectly replicated in each of the redundant channels, the following two types of spurious actuation consequences for digital I&C system illustrated need to be considered: a) Consequence 1: spurious actuation of single equipment produced by I&C systems; b) Consequence 2: spurious actuation of multiple equipment produced by I&C systems (Fig. 1).

Fig. 1. Spurious actuation consequence of digital I&C systems

Spurious Actuation of I&C Systems Analysis Methodology

539

2.2 Approach Assumption The events identification for spurious actuation of digital I&C systems presented in this paper follows the assumptions below. Moreover, the available scope for event mitigation and priority management are important assumptions that will be used in subsequent consequence analysis. a) The identification of event assumes that NPP is under the normal operation. Initially, the NPP status in which the digital I&C systems initiate spuriously certain function need to be defined. To guarantee an adequate degree of analysis, all possible plant conditions should be considered. These initiating conditions cover the standard conditions within normal operation (e.g. full power operation, shutdown modes and core totally unloaded). The detailed operating states are introduced for the spurious actuation event identification considering the characteristic of thermodynamic and reactor physics. Moreover, considering that under normal operation, some of the spurious actuation produced by I&C functional group are inhibited (e.g. a permissive signal or inhibitive signal), associated spurious actuations are assumed to implausible and they will not analyzed under these condition; b) The spurious actuation analysis of digital I&C systems is not considered in combination with other independent events (e.g. the loss of off-site power, loss of coolant accident).Although the CCF of digital technology cannot be eliminated, many measures are applied to minimize the potential CCF (e.g. the equipment qualification, field proven products, mature system software verification and validation), which indicates that the likelihood of the spurious actuation probability caused by I&C system CCF is very low. Hence, the combined probability of a spurious actuation event with an extra independent event is extremely low. Even though the spurious actuation caused by digital I&C systems takes effect, the associated influence is detectable. It can be corrected and could not still exit at the time of occurrence of an independent event (not caused by digital I&C system). So, every independent single spurious actuation event is analyzed without considering the combined case. c) To avoid the infinite number of combination of spurious actuation, two kinds of multiple spurious actuations are excluded: spurious actuation of multiple independent I&C functions among different, independent I&C systems and spurious actuation of multiple independent I&C functions within an I&C system. According to the experience of DICWG-13, spurious actuations of concern would be those which are plausible. This is because there is no way to know the worst combination of all positions in time of all such actuations (except by doing an infinite number of studies, which is infeasible). Similar position was presented in office for nuclear regulation (ONR)’s website through [16]. Take a digital I&C system including 100 outputs for example, given that they are also simple two state functions, approximately 1 × 1030 combinations of output states need to be considered. Therefore, it is implausible to consider the infinite combinations. Based on I&C architecture and design features, the adequate independence is achieved, which could remove or reduce the spurious actuation to an acceptable level. Therefore, the occurrence of such actuations is not considered.

540

Z. Yang et al.

d) Available scope for event mitigation is defined. If specific spurious actuation of a digital I&C system is postulated, the other mitigation functions provided by the same system are considered as unavailable in the view of conservative consideration. In this scenario, other I&C systems which have been demonstrated to be adequate independent from this I&C system are considered available. e) Priority management is required to be considered. It is known that the conflicting signals may be sent coincidentally by different digital I&C systems to control the same actuator. To cope with this circumstance, the priority management is introduced in I&C systems design and ensure only one specific signal is sent to the actuator. Generally, two typical priority management methods are applied in NPP. The first one is state-based priority management. With the state-based priority, one direction of signals (e.g., energize or de-energize, open or close) always has higher priority over the opposite direction, regardless of the system generating the input signal. The latter is system-based priority management, which means that the signal of the specific system input (e.g., protection system (PS)) has priority over signals from other systems, regardless of the state demanded by that signal. Based on the priority management feature, it is confirmed that if the spurious actuation of the equipment caused by high priority I&C system can be terminated by an opposite command by low priority I&C system. 2.3 Identification Process A potential spurious actuation of digital I&C system means that an I&C system or its associated equipment produce an unintended operation. However, not all the unintended operation has adverse effects on the plant safety. Figure 2 below shows a framework for detailed identification process of spurious actuation events. With the framework, the spurious actuation which could lead to abnormal operating NPP state is screened and defined as an independent event. The identification process includes the following four steps: a) Identify the system scope and make the associated system functions list. Generally, the I&C technologies can be based on software, complex hardware and simple hardware [17]. Provides the available and representative I&C technologies, as shown in Fig. 3 shown. As introduced in Sect. 1, the simple hardware is not considered due to the technology nature. These I&C systems based on complex hardware-based technology or software technology are considered in subsequent analysis. The overall I&C architecture analyzed in this paper is described in [18], which mainly includes centralized I&C system (e.g. the protection system (PS), safety automation system (SAS), plant standard automation system (PSAS), etc.) and Non-centralized I&C systems. Moreover, the component interface module used to perform the priority management is based on simple hardware technology, the spurious actuation of which is not considered. b) Define the preliminary screening principles to form the short-list. To form the shortlist for simplification of the analysis, the preliminary screening principles are defined. According to the following 7 principles listed in Table 2, the screening has been developed.

Spurious Actuation of I&C Systems Analysis Methodology

541

Start

Identify the system scope and make the associated system functions list

Define the preliminary screening principles to form the short-list

Judge if the function could be excluded according to the principles

Yes

Screen out

No Form the functional group based on the signal features

Judge if the failure could lead to an abnormal operating NPP state

No

Screen out

Yes Determine the event list of spurious actuation

Fig. 2. Identification process of spurious actuation produced for I&C systems Electronic Hardware Technologies

Conventinal Electircal and Electronic Compnents

Relays

Analog Electronic Circuits

Large-Scale Integrated Circuits

Digital Logic Circuits

HDL Programmable Devices

ASICs

9OSVRK.GXJ]GXKHGYKJ:KINTURUM_

Simple PLDs

Programmable Logic Array

Microprocessors 9ULZ]GXK:KINTURUM_

Complex PLDs

Programmable Array Logic )USVRK^.GXJ]GXKHGYKJ:KINTURUM_

ASIC: Application Specific Integrated Circuit FPGA: Field Programmable Gate Array HDL: Hardware Description Language PLD: Programmable Logic Device

Fig. 3. Categorization of technologies

FPGAs

542

Z. Yang et al. Table 2. Preliminary screening principles

Item

Definition

Remark

Principle 1 Local operation

The implementation of local function does not need the processing of digital I&C systems. Therefore, the local functions are not considered in spurious actuation analysis

Principle 2 Passive functions

Passive equipment is actuated by the natural phenomenon and does not need the processing of digital I&C system

Principle 3 Indication functions

Indication functions do not actuate the equipment directly, so indication functions are ruled out from spurious actuation analysis of digital I&C systems

Principle 4 No change in the equipment status

If the equipment status actuated by the spurious actuation of digital I&C systems is the same with the required equipment status within normal operation, the associated function is not considered in spurious actuation analysis

Principle 5 Actuation by combination of As described in item c of approach assumption, multiple functions the simultaneous occurrence of multiple spurious simultaneously actuations is not considered Principle 6 Covered by failure mode and effects analysis (FMEA) analysis of mechanical systems

With the selected mechanical system, all the failure modes of corresponding component should be determined and the failure mode should be analyzed by FMEA approach. For each analyzed failure mode, the induced direct consequence is identified and evaluated whether the failure could lead to an abnormal operating NPP state. Using the existing FMEA approach, the analysis is developed until all components of the specific system have been performed. Therefore, with respect to the function realized by single equipment, it is verified if the spurious actuation is covered by the aforementioned FMEA analysis of mechanical systems. If so, the function will be excluded

Principle 7 Permissive signal or inhibitive signal

Permissive signal or inhibitive signal is used for mode switchover and does not lead to an abnormal operating NPP state directly

c) Forming the functional group based on the signal features. Functional group list is formed with the signal features including the similar I&C system allocation, similar spurious actuation states and similar actuation modes (including the similar actuation types and actuation signals). The functional group is assembly of functions, including an I&C output function and any consequential function(s) which activated from it. Based on the illustration of Fig. 4, the functions that own the similar features

Spurious Actuation of I&C Systems Analysis Methodology

543

mentioned above are distributed to a functional group. The lines with same colors in Fig. 4 represent the similar initiation condition in the same NPP state. For example: 1) The function 1 allocated in the PS and the function 3/4/5 also allocated in the PS are actuated on the same actuation signal. In addition, these functions are actuated in the same NPP states. Therefore, these functions are combined with a functional group and analyzed together; 2) In different NPP state, the function 1 allocated in the PS only leads to the actuation of function 2. For this NPP sate, function 1 and function 2 are combined to be analyzed together; 3) The function 6 allocated in the PS is connected to the function 7 allocated in the SAS. For the foregoing functions, although the allocated I&C systems are different, the spurious actuation of the function 6 will lead to the initiation of function 7. So the two functions are considered together and combined into a functional group in the case of PS failure.

Function 1

Function 2

Function 6

Function 3 Function 7 Function 4

Function 5 PS

SAS

Fig. 4. Illustration of functional groups

d) Determine the event list of spurious actuation for digital I&C systems. The following two aspects are taken in consideration to screen the final event list of spurious actuation for digital I&C systems. 1) For a given functional group, identify whether the consequence could lead to an abnormal operating NPP state (including but not limited to reactivity or power control abnormality, increase/reduction in primary side temperature, increase/reduction in primary side flow, loss of spent fuel pool inventory, etc.); 2) For a given functional group, identify whether the consequence could be enveloped by that caused by other functional group.

3 Consequence Analysis of Typical Spurious Actuation Event Through the identification methodology, the functional groups leading to an abnormal operating NPP state due to unintended actuation are acquired and defined as spurious actuation events. For them, detailed analysis is processed to confirm that if the current mitigation systems and safety functions are adequate.

544

Z. Yang et al.

In this chapter, the identified event due to emergency feedwater spurious actuation is analyzed as an example. The emergency feedwater system (EFWS) is designed to supply the water to the steam generator for residual heat removal and associated startup function is implemented in the PS. The CCF in PS may actuate this function spuriously and lead to the increase in feedwater flow. The following initial conditions are considered. a) This spurious actuation occurring in three different NPP states are considered, including full power state, hot standby state and hot shutdown state. b) According the predefined priority assignment in [18], it is defined that the systembased priority is applied and the PS owing the highest priority. If the identified functions are actuated spuriously by PS, the opposite order derived from the mitigation system is invalid. Therefore, the emergency feedwater injection cannot be isolated until the local operation is carried. c) As mentioned in [18], the PS and SAS are based on the same I&C platform. Although the independence is established between them, it is hardly to verify that the SAS is available in this scenario. So the PS and the SAS are assumed to unavailable conservatively. d) In this scenario, other independent I&C systems (e.g. the DAS and PSAS) are used to provide the mitigated functions. For example, the PSAS is credited to protect the plant for regulating functions through the main feedwater flow control system (MFFCS). e) The emergency pumps are assumed to spuriously turn on at its nominal flow rate. According to [19], the range is from 90 m3 /h to 110 m3 /h and the detailed valve depends on the backpressure. The digital I&C design verification and validation platform is developed, which provides a dynamic verification method and a strong support for engineering application [20]. The spurious actuation of emergency feedwater is simulated through this V&V platform. For this event occurring in full power state, the short-term transient simulation is developed and the response of key parameters is shown in Fig. 5 and Fig. 6. The steam generator flow rate rises until it reaches the nominal value (slight smaller than 110 m3 /h) and then the increased emergency feedwater is offset by the capacity of MFFCS (the associated flow rate is 2130.5 m3 /h [21]). Based on the quick response of MFFCS, a steady state is established about 3 min later and no automatic reactor trip occurs. After 60 min the operator would perform the local action to isolate the affected steam generators and terminate this event. For this event occurring in hot standby state and hot shutdown state, the associated significant parameters are presented in Figs. 7, 8, 9, 10, 11 and 12. At the beginning the event in hot standby state or standby state, the addition of large amounts of cold water to the secondary side will make the steam generator level and pressure decrease due to the cold-contraction effect. The temperature of emergency water (is between 10 °C to 60 °C) is much lower than that of secondary side (about 300 °C), which leads the water density to increase, and then the total level to decrease. This specific phenomenon does not appear is the full power state due to the very high power transferred by primary side.

Spurious Actuation of I&C Systems Analysis Methodology

545

Fig. 5. EFWS flow rate in full power state

Fig. 6. Steam generator level in full power state

Additionally, in these states, the MFFCS closes the low load control valve in response to an increasing steam generator level. However, due to the full load control valves have been closed in these conditions, the remaining low load control valve is insufficient to control the level. So the steam generator level rises finally. The primary mitigation measure for this event is EFWS isolation implemented in the DAS. Once achieving the predefined set-point, the DAS initiates the EFWS isolation function on higher steam generator level. But the isolation function is useless due to the priority configuration mentioned above. Finally, the emergency water can result in steam generator overfill. A different is that the overfill time in the event occurring in hot

546

Z. Yang et al.

Fig. 7. EFWS flow rate in hot standby state

Fig. 8. Steam generator level in hot standby state

standby state is later than that in hot shutdown state. This is because the initial power level for hot standby state is higher than that of hot shutdown state. It can be seen that the overfill time is approximately 28 min for shutdown state and 37 min for hot standby state, which are insufficient for the operator to manually isolate the emergency feedwater (the grace period assumption for local operation is at least 1 h after appearance of the first significant signal). Although the overfill phenomena appears, this event is not generate a more serious radiological consequence and the acceptance criteria defined in are satisfied [22].

Spurious Actuation of I&C Systems Analysis Methodology

547

Fig. 9. Steam generator pressure in hot standby state

Fig. 10. EFWS flow rate in hot shutdown state

On one hand, through the aforementioned analysis, it is known that the current mitigation functions are adequate. On the other hand, a possible but not necessary improvement is realized: if the state-based priority management is introduced to replace the current priority management for EFWS isolation function, the overfill phenomena may be avoided. This improvement needs further evaluation and the associated details are beyond the scope of this paper.

548

Z. Yang et al.

Fig. 11. Steam generator level in hot shutdown state

Fig. 12. Steam generator pressure in hot shutdown state

4 Summary and Discussion A new method for spurious actuation of digital I&C systems identification is developed. The method integrates the digital I&C systems features and functions allocation characters. The identified spurious actuation events are analyzed quantitative with specific conservative assumptions and the associated results are used to demonstrate that if additional mitigation measures should be introduced. As an example, the spurious actuation of EFWS is simulated and evaluated. The evaluation results reflect that no additional

Spurious Actuation of I&C Systems Analysis Methodology

549

mitigation functions require to be added. Moreover, the results also provide a possible improvement idea for design optimization.

References 1. International Atomic Energy Agency, Software Important to Safety in Nuclear Power Plants, IAEA Technical Report Series No. 367 (1994) 2. U.S. Nuclear Regulatory Commission, Advanced Reactor Licensing: Experience with Digital I&C Technology in Evolutionary Plants, NUREG/CR-6842, April 2004 3. International Electrotechnical Commission, Nuclear power plants - Instrumentation and control systems important to safety -Requirements for coping with common cause failure (CCF), IEC 62340, Revision 1, Geneva, Switzerland (2008) 4. Wood, R., Pullum, L., Smith, C., et al.: Common-Cause Failure Mitigation Practices and Knowledge Gaps (2012) 5. U.S. Nuclear Regulatory Commission, Guidance for Evaluation of Diversity and Defense-inDepth in Digital Computer-Based Instrumentation and Control Systems, Branch Technical, Position 7–19, Washington, D.C. Revision 7 (2016) 6. Percival, C., Bradbury, D.: The engineering specification, design and implementation of the Sizewell B reactor secondary protection system. In: International Conference on Electrical and Control Aspects of the Sizewell B PWR, London, UK, pp. 232–244 (1992) 7. U.S. Nuclear Regulatory Commission, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, Staff Requirements Memorandum on SECY-93-087, Washington, D.C., 21 July 1993 8. U.S. Nuclear Regulatory Commission, Method for Performing Diversity and Defense-inDepth Analyses of Reactor Protection Systems, NUREG/CR-6303, December 1994 9. U.S. Nuclear Regulatory Commission, Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems, NUREG/CR-7007, February 2010 10. International Atomic Energy Agency, Criteria for Diverse Actuation System for Nuclear Power Plants, IAEA Tecdoc Series No. IAEA-TECDOC-1848 (2018) 11. International Electrotechnical Commission, Nuclear power plants - Instrumentation and control for systems important to safety-General requirements for systems, IEC 61513, March 2001 12. International Electrotechnical Commission, Nuclear Power Plants - Instrumentation and Control Systems Important to Safety-Software Aspects for Computer-Based Systems Performing Category A Functions, IEC 60880, Ed. 2.0, Geneva, Switzerland (2006) 13. Multinational Design Evaluation Programme Generic Common Position, Common Position on Spurious Actuation, DICWG No. 13 (2017) 14. International Atomic Energy Agency, Dependability Assessment of Software for Safety Instrumentation and Control Systems at Nuclear Power Plants, IAEA Nuclear Energy Series No. NP-T-3.27 (2018) 15. International Atomic Energy Agency, Core Knowledge on Instrumentation and Control Systems in Nuclear Power Plants, IAEA Nuclear Energy Series No. NP-T-3.12 (2011) 16. UK, Nuclear Regulation. http://www.onr.org.uk/new-reactors/uk-abwr/reports/ro-abwr0007.pdf. Accessed 20 July 2020 17. International Atomic Energy Agency, Application of Field Programmable Gate Arrays in Instrumentation and Control Systems of Nuclear Power Plants, IAEA Nuclear Energy Series No. NP-T-3.17 (2016) 18. UK, Nuclear Regulation. http://www.ukhpr1000.co.uk/wp-content/uploads/2020/02/HPRGDA-PCSR-0008-Pre-Construction-Safety-Report-Chapter-8-Instrumentation-and-Con trol-Rev-001.pdf. Accessed 20 July 2020

550

Z. Yang et al.

19. UK, Nuclear Regulation. http://www.ukhpr1000.co.uk/wp-content/uploads/2020/02/HPRGDA-PCSR-0007-Pre-Construction-Safety-Report-Chapter-7-Safety-Systems-Rev-001. pdf. Accessed 20 July 2020 20. Wang, C.-B., Ping, J.-L., Duan, Q.-Z., et al.: Study on function verification of diversity actuation system in nuclear power plant. Nucl. Sci. d Eng. 56, 82–86 (2012) 21. UK, Nuclear Regulation. http://www.ukhpr1000.co.uk/wp-content/uploads/2020/02/HPRGDA-PCSR-0011-Pre-Construction-Safety-Report-Chapter-11-Steam-and-Power-Conver sion-System-Rev-001.pdf. Accessed 20 July 2020 22. UK, Nuclear Regulation. http://www.ukhpr1000.co.uk/wp-content/uploads/2020/02/HPRGDA-PCSR-0013-Pre-Construction-Safety-Report-Chapter-13-Design-Extension-Condit ions-and-Severe-Accident-Analysis-Rev-001.pdf. Accessed 20 July 2020

Analysis for Periodic Test Interval of Digital I&C System for NPP Based on PSA Technology Sun Wei(B) and Li-Ming Zhang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. At present, digital control technology is widely used in safety I&C system of nuclear power plant. In addition to improving the self-diagnosis coverage of the equipment to increase the reliability of the system, periodic tests are also widely used, but how to determine the test interval of the safety I&C system in theory has gradually become a new research direction. Base on this, this article models the periodic test interval from the beginning of design and combines with the PSA technology by analyzing the initial events of a typical NPP, and integrates it into plant PSA models. Through the analysis of calculation results, the weakness of the test interval is identified and the improvements are given. After that a set of design process for periodic test interval are summarized and ultimately enhance the overall safety and reliability objectives of NPP. Keywords: PSA · Reliability · Periodic test interval · Digital control technology

1 Introduction PSA technology is a safety evaluation method based on probability theory and risk assessment. It identifies and analyzes unexpected faults, abnormalities or consequences in the system operation process, and carries out risk analysis and evaluation on this foundation. PSA method is one of the two safety analysis methods for nuclear power plants (deterministic theory and probability theory). Its advantage lies in analyzing the relationship and interaction between various factors, which can quantitatively evaluate the safety of nuclear power plants and identify the weak links in the design, construction and operation of nuclear power plants. PSA evaluation is divided into two aspects, namely, analyzing the frequency of unwanted events and the consequences of unwanted events. The result of both frequency and consequence is risk. For nuclear power plant, such undesirable events refer to core damage, radionuclide leakage into the environment, public casualties and property losses. Different from the deterministic analysis method, probabilistic safety assessment is a systematic analysis method. The input of this analysis is as real information as possible about power plant design, operation practice, personnel behavior, and component reliability, physical process of core damage, Containment behavior and environmental conditions. The foundation of this analysis is probability theory, and the output of © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 551–562, 2021. https://doi.org/10.1007/978-981-16-3456-7_53

552

S. Wei and L.-M. Zhang

this analysis is the probability and consequence of various accident sequences, various radioactive material releases and various health effects [1]. IAEA has also played an important role in the research and promotion of PSA. PSA has been implemented for different reactor types, and the development and application of PSA technology have been systematically studied. IAEA has put forward requirements for the implementation of PSA auxiliary system design: PSA requirements are described in NS-R-1 [2]: “When Safety Analysis is carried out on unit design, both deterministic analysis method and probability analysis method shall be used. Then take this analysis as foundation to formulate and verify the design basis for safety important items.” After that, PSA was taken as part of the decision-making process in NS-G-1.2 [3], and the following requirements were put forward: PSA results should be taken as part of the design process to evaluate the safety level of the unit. The key technology of Digital Control System in Nuclear Power Plant is the “nerve center”. It provides more advanced control and management methods and is an important equipment to ensure the safe and reliable operation of the nuclear power plant. From design to manufacture, the system needs to meet the requirements of reliability, security, system complexity, interface processing and other aspects, and integrates many technologies such as computer, communication, display and control. Traditionally, in the design stage, the reliability of the I&C system is only improved by improving the reliability of DCS equipment, such as the manufacturing level of process equipment, software and hardware identification level, Quality Assurance, etc. During the operation phase, the high reliability of the equipment is ensured through the periodic test. How to calculate and analyze the system reliability and periodic test interval on this foundation through quantitative evaluation method is somewhat different from the mainstream requirements in the world. Based on this, this paper is oriented to engineering practice application. Through PSA method, the equipment reliability data and periodic test period are coordinated. Through quantitative reliability numerical calculation, the periodic test interval of safety I&C system is calculated, and the design scheme is improved or optimized to enhance the overall safety goal of Nuclear Power Plant. On this foundation, a set of Nuclear Power Plant digital I&C Periodic Test interval design method based on PSA technology is explored to meet the needs of subsequent engineering practice.

2 Overview of PSA Technology According to the classification of research levels, PSA is usually divided into 3 levels. The purpose of the first-level PSA is to calculate the core damage probability (CDF). Core damage refers to “the Reactor core is exposed and heated to the extent that longterm cladding oxidation or serious fuel damage is expected to occur, and the core part involved is sufficient to cause large radioactive release”. The secondary PSA is based on the foundation of the analysis results of the primary PSA to study the accident process and Containment response after the core is damaged, and to evaluate the release amount and frequency of various radionuclides to the environment. Three-level PSA further studies the diffusion of radioactive substances in the environment and estimates its impact on public health and social environment [4].

Analysis for Periodic Test Interval of Digital I&C System

553

The scope of discussion in this paper is level 1 PSA, which explains the analysis process, basic framework and elements of probabilistic safety assessment in the application of Nuclear Power Plant [5] (Fig. 1):

Fig. 1. General process of level1 PSA for NPP digital I&C

1) Initial event analysis: identify events that may lead to Nuclear Power Plant anomalies and require successful response from Nuclear Power Plant equipment and personnel to prevent core damage; 2) Success Criteria Analysis: Determine the minimum requirements for each Safety Function (and the system used to perform these functions) required to prevent core damage after the initiation event occurs; 3) Accident sequence analysis: modeling different event processes (event sequences) that successfully mitigate or cause core damage after the event occurs in time sequence (event tree model); 4) System analysis: Determine various failure combinations that may cause the system to fail to perform its functions. The model includes hardware, instrument and human failure events that may lead to system failure. The development of events should be detailed enough to take into account various correlations (fault tree model); 5) Data analysis: Evaluating the frequency of originating events, equipment failure probability; 6) Personnel reliability analysis: identifying and quantifying human error events and their probability under accident conditions; 7) Quantify the accident sequence: calculating the total CDF accord to the CDF obtained by each originating event category; 8) Analysis results: Identify the main contribution categories (qualitative plus quantitative) classified by originating events, accident sequences, equipment failures and human error events.

554

S. Wei and L.-M. Zhang

Compared with the traditional deterministic method, PSA method has the following characteristics [6]: a) PSA not only studies the physical phenomenon, process and consequences after the occurrence of an event, but also carries out quantitative evaluation of risks on this basis; b) In the analysis of PSA, a variety of complex correlations among systems, equipment and personnel that exist in the design are considered; c) In the PSA model, the short-term unavailability of equipment brought by periodic tests and maintenance is considered; d) PSA adopts more realistic assumptions to reflect the actual situation of nuclear power plants, and its evaluation results are closer to reality. To sum up, PSA method can make up for the deficiency of traditional determination method to a great extent. Comprehensive use can make safety analysis and reliability analysis more comprehensive, objective and reasonable.

3 Digital Control System Nuclear power plant digital control system (DCS) is a distributed control system based on computer and network communication. DCS system not only has the measurement and control function of conventional industrial process instrument, but also has extremely strong data processing capacity and high-speed information communication rate. The main advantages are decentralized control, centralized management, high reliability, data acquisition and process control functions are decomposed, implemented by multiple functional computers, independent work, to avoid the common mode failure risk caused by centralized control. Its main features are as follows: 1) With high control accuracy and strong logical operation processing and computing capability, it can significantly improve the comprehensive performance of the I&C system, and complete the complex logic operation processing and calculation functions that cannot be achieved by the analog I&C system in the past; 2) Communication network is used to connect each system equipment, which greatly reduces the number of connecting cables and improves the reliability of data transmission; 3) It can conveniently and effectively realize multiple redundancy, fault security and fault tolerance, and improve the system availability and reliability; 4) It can be conveniently and effectively realized with system on-line inspection and self-diagnosis function, which is helpful for fault analysis and judgment; 5) The system has good extension flexibility, strong configurability and easy maintenance; 6) It has powerful data processing and storage capacity, and improves the man-machine interface.

Analysis for Periodic Test Interval of Digital I&C System

555

Fig. 2. Internal architecture of typical NPP digital I&C cabinet

DCS mainly includes the first-floor equipment such as master controller, communication module and I/O module, and the second-floor equipment such as operator station. The typical internal structure diagram of the cabinet is shown in Fig. 2. In addition, the structure of the I&C system is vertically divided into four layers by function: process system interface layer (Level 0), automatic control and protection layer (Level 1), operation and management information layer (Level 2), and plant technical management layer (Level 3). 1) Level 0 is the interface layer of instrument control and process system, mainly composed of sensors, actuators and other field equipment. 2) Level 1 mainly includes reactor protection system (RPS), reactor power control system (RPCS), plant standard automation system (PSAS), special I&C subsystem system, Diversity Actuation System (DAS), Serious Accident I&C system (SA I&C), etc. 3) Level 2 is mainly composed of power station computer Information and Control (KIC) equipment, emergency operation device (ECP), display screen (LDP) and so on. These devices are located in the main control room (MCR), remote shutdown station (RSS) and Technical Support Center (TSC). 4) Information management (level 3) (Fig. 3).

556

S. Wei and L.-M. Zhang Scope of I&C Systems

Human Machine Interface Alarm

Display

Operation

Recorder

Control Equipment Logic Process

Signal Preprocess Circuit

Input/Output

Switchgear Sensors

Component Interface Circuit

Switchgear/ Integrated Motor Control Reactor Trip Breakers M

Solenoid Valve

Pump/Fan

Motor Valve

Fig. 3. Typical architecture of NPP digital I&C

4 Self-diagnosis of Safety I&C System and Periodic Test In order to improve the reliability of digital I&C system, self-diagnosis and periodic test are generally adopted in control system. Based on this, the safety level system should be capable of conducting tests during the normal operation of the plant as well as during the outage. The types of tests include operational tests, channel calibration and response time tests. The safety system shall be tested to include as many sensors, signal processing equipment, logic devices and final drivers as possible without compromising the continuous normal operation of the plant. When selecting all parts of a protection system, consideration should be given to experiment ability. In the case that the complete test cannot be realized, the method of segmental overlapping test can be adopted. 4.1 Self-diagnosis Design Self-diagnosis refers to the inspection performed by the device itself, including online continuous self-diagnosis, device triggered self-diagnosis and manual triggered selfdiagnosis. The application of self-diagnosis in the computer-based protection system can improve the reliability of the system and extend the cycle of periodic test s. The self-diagnosis design features are as follows: 1) The coverage of self-diagnosis should be as comprehensive as possible, including memory function and integrity test, data link diagnosis, etc. 2) The fault detected by self-diagnosis should be prompted to the operator of the power station by means of alarm and information instruction;

Analysis for Periodic Test Interval of Digital I&C System

557

3) The software and hardware used to realize the self-diagnosis function shall not affect the independence, system integrity and single fault criteria of the redundant channel; 4) Self-diagnosis cannot affect the execution of safety functions or cause false actions of safety functions; 5) The interface design between the self-diagnosis software and the security function software should have minimal impact on the logic and data structure of the security function software; 6) A proper balance should be maintained between resources for self-diagnosis (such as cycle time, etc.) and computer performance. 4.2 Periodic Test Design Periodic tests refer to tests performed at scheduled intervals to detect faults and check runnability, including manual tests or manually triggered automated tests. The main design features of periodic test s are as follows: 1) The periodic test device and its interface with the protection system shall not affect the independence of the redundant channel, the integrity of the system and the single fault criterion; 2) During the periodic test, the response ability of the protection system to real signals shall be maintained; 3) Each redundant channel shall be allowed to conduct periodic tests independently, and measures shall be taken to prevent periodic bypass multiple channels at the same time; 4) If a part of the protection system is tested by bypass or exits from operation, continuous and clear instructions shall be provided in the control room, and measures shall be provided to enable the operator to confirm that the tested equipment has been restored to its normal operation mode after the completion of the test; 5) The periodic test should simulate the path of normal signal as practically as possible; 6) Measures shall be taken to prevent unauthorized personnel from triggering periodic tests. Taking the periodic test of a nuclear power plant as an example, the main test activities of the safety level I&C system are as follows: a) b) c) d) e) f) g) h) i)

Channel inspection; Shutdown and ESFAS functional test; Shutdown circuit breaker action test; Specially designed action test; Output control loop test; Drive test; Connection test between the protection system and the third-party system; Human-machine interface test; Response time test.

558

S. Wei and L.-M. Zhang

According to the requirements of reliability technical characteristics, on the one hand, if the periodic test interval is shortened and the frequency of periodic test is increased, the reliability of the system can be improved. But on the other hand, the reliability of high frequency increases the workload of maintenance personnel, and is easy to introduce human risk, but reduces the reliability of the system. Therefore, it is particularly important to determine the periodic test interval scientifically (Fig. 4).

Fig. 4. Periodic testing overlap diagram of safety I&C system

4.3 Periodic Test Cycle Analysis and Calculation During the operation of DCS equipment, there are two fault modes as follows: 1) Self-detected Failure (DF): DCS system itself has loop detection function, which can detect and detect some faults detected by the self-diagnosis system when the hardware device fault is detected;

Analysis for Periodic Test Interval of Digital I&C System

559

2) Undetected Failure (UF): Some failures are beyond the self-detected range of DCS and cannot be detected by DCS self-detected system. These failures are usually potential failures detected in unit operation which can be detected by periodic tests (Fig. 5).

Fig. 5. Failure mode synthesis

In accordance with GB 9225 general Principles for Reliability Analysis of Nuclear Power Plant Safety Systems, the steady-state availability concept is used for repairable or replaceable items (calculations may assume an infinite maintenance time to simulate an unrepairable situation). A repairable or replaceable item works until it fails, is repaired, works again, fails again, and is repaired (“repair,” meaning repair or replacement). In an infinite time, availability is related to the average running time and maintenance time. The formula is as follows: Availability =

average working time average working time + Unavailable time

(1)

There are two situations to be considered. One is that an item is found to be out of order as soon as it fails (self-display) and is repaired immediately (without time delay). In this case, it can be assumed that the time out of service is equal to the time to repair. In another case, the fault is not self-displaying and can only be detected by periodic test s. Then the non-working time is the time interval between failure and the next test plus the maintenance time. In general, availability is a complex mathematical function that depends on the probability distributions of test intervals, run times, and repair times. 1) 2) 3) 4) 5) 6)

If the following assumptions are met: There is a constant items failure rate; Faults can only be detected by periodic tests; The test interval is constant T; small enough; Maintenance time plus logical delay time is far less than the test interval time;

560

S. Wei and L.-M. Zhang

Items are in a working state at the beginning of each test interval, and faulty items must be tested and repaired. The test will not cause item failure, nor will it change the . item failure rate. Equation (5) can be simplified as: According to the above analysis, periodic test cycle T, as an input variable of reliability, needs to meet the overall reliability target requirements, which can be determined by adopting iterative design. Taking a certain power plant as an example, PSA method is adopted to design the periodic test cycle of iteration safety level I&C system. Table 1 shows the DCS failure data of the equipment. Table 1. Failure rate of DCS equipment Equipment

MTBF

Failure rate (/hour)

CPU power supply

1.39E+05 7.17E−06

Optical electric converter

9.80E+06 1.00E−07

Redundancy management equipment 3.60E+05 2.76E−06 Master management unit

3.08E+05 3.24E−06

Bus interface unit

1.74E+05 5.74E−06

CPU processing unit

2.05E+05 4.88E−06

I/O interface card

5.96E+05 1.67E−06

Through the above analysis, the reliability calculation formula is as follows:    U = 1 − MTBF/ MTBF + MTTR + (1 − P) × Tpt /2 U: Mean Availability (Failure on Demand) MTBF: Mean time between failures (hour) MTTR: Average repair time (hour) P: Probability of successful self-diagnosis after equipment failure Tpt: Periodic Test Period (hour) Taking CPU as an example, after substituting its invalid data into the public display, it can be calculated that: MTBFCPU = 2.654 * 108 h (configure CPU in switch mode) MTTR = 4 h P = 0.99 Tpt = 12 month U cpu = 6.933 * 10−6

Analysis for Periodic Test Interval of Digital I&C System

561

Taking this as an example, the DCS function, acquisition module and output module are calculated, and then substituted into the PSA model of the power plant, the core failure probability can be lower than 10−04 , which meets the requirements of the firstlevel PSA index of the power plant. Therefore, the established 12-month periodic test period meets the requirements.

5 Calculation Process of Periodic Test Interval of Safety I&C System According to the above typical functions and equipment analysis conclusion, the typical flow chart of the periodic test cycle calculation of the safety level I&C system based on the equipment reliability and PSA index of the power plant is as follows, which is divided into eight steps, specifically as follows: 1) Step 1: Determine the system structure, signal transmission mode and other information according to the overall design scheme of DCS, and analyze the implementation scheme of the security-level I&C system based on diversity design, redundancy design and single fault criterion; 2) Second step: function analysis, including protection system function grouping, topology, DCS implementation hardware, signal transmission path and voting logic, etc.; 3) Third, on the basis of complete functional analysis, develop fault mode analysis (FMEA) of DCS equipment. Fault mode analysis refers to the analysis of the system unavailability under the condition of a single hardware failure; 4) The fourth step is to determine the equipment failure mode and failure efficiency; 5) The fifth step is to establish the DCS reliability model based on FMEA and on the basis of the reliability modeling method research. 6) The sixth step is to analyze and debug the model and modify the situation that does not conform to the reality; 7) The seventh step is to calculate the reliability data of the model and analyze whether the data meet the requirements of regulations and contracts; 8) The eighth step is iterative design to analyze whether the current periodic test cycle can meet the reliability target requirements of the I&C system and PSA index requirements (Fig. 6).

562

S. Wei and L.-M. Zhang

Fig. 6. Calculation flow chart of periodic testing interval of safety I&C system

6 Conclusion Improving the reliability of the safety level I&C system plays an important role in the reliability of the whole nuclear power plant. In the traditional sense, the reliability of the system is only improved by improving the reliability of the equipment (such as design process, redundancy, manufacturing process, etc.). With the popularization of digital technology, self-diagnosis and periodic test are also important means to improve reliability. Based on this, this paper combined with PSA technology, carried out theoretical calculation of periodic test period, quantitatively analyzed the test period from the perspective of core melting and radioactive release in the whole plant, and gave a typical calculation. On this basis, a set of periodic test interval calculation method of safety level I&C system based on PSA is proposed, which provides beneficial exploration and supplement for similar engineering practice.

References 1. 2. 3. 4.

Feng, B.-L.: Probabilistic safety evaluation. Daya Bay Nuclear Power Plant (1), 8 (2006) NS-R-1: Safety of Nuclear Power Plants: Design (2000) NS-G-1.2: Safety Assessment and Verification for Nuclear Power Plants (2005) Chen, J.-F., Guo, J.: Probabilistic safety evaluation. Daya Bay Nuclear Power Plant (1), 18–19 (2006) 5. Jiang, G-J.: Design and application research of digital I&C system based on PSA in nuclear power plant 6. Chen, J.-F., Guo, J.: Review of probabilistic safety evaluation methods. Daya Bay Nuclear Power Plant (1), 18 (2006)

Research and Application of Nuclear Instrumentation System EMI Design in Nuclear Power Plant Jing Li(B) , Li-Ming Zhang, Tian-You Li, and Jing Shang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company Ltd., Shenzhen 518045, Guangdong, China [email protected]

Abstract. Nuclear instrument system (RPN) continuously monitors the neutron flux rate level and the core power level in the reactor core and participates in the operation of the reactor protection system, which is a key instrument and related to reactor safety. In the past two years, Nuclear Instrumentation (RPN) Source Range signal abnormal fluctuation events have occurred occasionally in multi-base projects. Studies have found that electromagnetic interference (EMI) is a main cause of signal abnormal. This paper discusses adding electromagnetic compatibility design from the top-level design. Through equipment design to meet the requirements of RPN signal detection equipment and cables on electromagnetic environment, improving the stability of the signal link by installing technical requirements, through equipment identification and other means to verify the cabinets’ requirements for electromagnetic environment, summarize the good practical experience of the power plants in operation, formulate systematic and detailed EMI protection requirements and implementation measures for RPN system, to avoid signal flash and improve the stability of the power station. Keywords: Nuclear Instrumentation · RPN · EMI

1 Introduction 1.1 Background Nuclear instrument system (RPN) is one of the important systems directly related to reactor safety, which continuously monitors the reactor core power level, power change rate and axial power distribution by using a series of neutron detectors installed outside the reactor pressure vessel. The functions of the RPN system are as follows: (1) Protection function. Provide high neutron flux rate and high flux rate change rate signals to the reactor protection system, triggering the emergency shutdown function of the reactor. Participate in the calculation of over-temperature T and over-power T protection.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 563–572, 2021. https://doi.org/10.1007/978-981-16-3456-7_54

564

J. Li et al.

(2) Control function. Multiplication period signal participates in boron dilution protection under shutdown condition. Trigger alarm and control rod lock signal and adjustment signal. (3) Monitoring function. Through continuous monitoring of reactor power, power change rate and power distribution, reactor status information during reactor loading, shutdown, startup and power operation is provided to operators. In the past two years, Nuclear Instrumentation (RPN) Source Range signal abnormal fluctuation events have occurred occasionally in multi-base projects [1], which have affected the safety and economy of power stations to some extent. Field analysis found that electromagnetic interference (EMI) is one of the main causes of signal abnormalities. 1.2 Problem Analysis Electromagnetic interference from nuclear power plants mainly takes the following four forms: (1) Enter the equipment from the outside through capacitive or inductive coupling of the equipment connection cables, and these interferences are generated by the potential difference between different reference ground on the two equipment or the potential difference on the remote equipment connection cables; (2) ESD interference will occur when personnel contact the control panels, chastises or cabinets; (3) Interphones, mobile phones, radio stations, television stations and radar stations will generate electromagnetic field radiation interference; (4) AC power supply is vulnerable to surge interference caused by lightning and various switch actions [2]. Under normal operating conditions, there is no essential difference between the electromagnetic environment in nuclear power plants and other types of power plants, but nuclear power plants have higher requirements for the stability, reliability and antiinterference of RPN systems. Therefore, when designing EMC of RPN system in nuclear power plant, it is necessary to fully consider the electromagnetic disturbance sources and interference types in the operating environment of RPN system, and then carry out targeted electromagnetic protection design and optimization to make the system in the best working state. In the process of solving the flash problem, the power station has adjusted the arrangement and path of RPN system equipment and related system equipment to reduce the influence of EMI. However, there is a lack of clear theoretical basis and system adjustment methods for this adjustment, and there is also a lack of systematic research on the environmental requirements, environmental identification and classification of EMC in nuclear power stations. In the process of power station design, the electromagnetic compatibility appraisal for single equipment is relatively standard, but the requirements of electromagnetic compatibility environment in complex nuclear power environment are lacking. Nuclear power plants under construction have limited detection and processing methods for

Research and Application of Nuclear Instrumentation System EMI Design

565

power measurement signal fluctuation caused by electromagnetic compatibility, and the processing and response measures are very complicated. Therefore, the establishment of corresponding specifications in the design and construction stages can effectively prevent and eliminate the occurrence of the above situations.

2 Analysis of Equipment and Layout Characteristics of RPN System 2.1 RPN System Equipment The RPN detector generates data signals, which are transmitted through integrated cables, connecting boards, Penetration and biological shielded cables and enter the RPN protection cabinet for amplification, screening, data processing, etc. The signal transmission path can be simplified as follows (Fig. 1):

Fig. 1. RPN typical transmission line

CPR1000 Power Station has conducted EMC interference tests on RPN Source Range Channel transmission links. Because the influence of external electromagnetic interference on RPN system is mainly manifested as interference to the signal link of RPN system, the two signal links of RPN system will become the main measurement reference for EMC measurement of RPN system [3]. 2.1.1 Detector Body According to the basic structure of the neutron detector of CPR1000 power station, the neutron detectors CBL26 (Source Range Detector), CPNB44 (Intermediate Range Detector) and CC80 (Power Range Detector) have a sealed metal cladding. Electromagnetic interference has no effect on the detector. Due to the voltage difference between different ground parts, but in order to avoid the low frequency common mode current of the detector, all detector housings must be grounded (Fig. 2).

566

J. Li et al.

Fig. 2. Typical structure diagram of neutron detector

As shown in the above figure, the detector has an aluminum sealed cladding, which greatly attenuates electromagnetic interference, but the detector must be away from high low frequency magnetic sources. 2.1.2 Mineral Coaxial Cables The mineral cable between the detector and the connecting plate is part of the detector. Referring to the current design of CPR1000 power station, due to the length of the cable, the length is less than 15 m, and the support in the adjacent concrete wall, the induction mode current caused by radiation coupling on the outer shield is very low. It is necessary to ensure that the cable without interference around the detector is close to the detector area, regardless of high frequency crosstalk or capacitive coupling to the detector. 2.1.3 RPN Cabinets, Board Cards and Equipment in Cabinets See Fig. 3 for the schematic diagram of RPN system architecture layout. RPN system equipment is installed in 5 cabinets, 4 protection cabinets and 1 control cabinet. Protecting cabinets requires physical and electrical isolation, and the isolation of the entire channels from RPN detectors measurement to signal conditioning. The control cabinet receives analog signals from the four protection cabinets, and the protection cabinets need to install isolation modules to realize the isolation of analog signal transmission and the control cabinet. The control cabinet sends the counting rate

Research and Application of Nuclear Instrumentation System EMI Design

567

signal to the reactor building, cabinet body and speaker in the main control room [4]. At the same time, it provides neutron level and neutron noise signals for KIR system, which are transmitted through hard wiring. IP, IIP and IIIP channel protection cabinets include measurement and processing functions of three measurement channels (source range, intermediate range and power range); IVP channel protection cabinet includes a measurement and processing function of a measurement channel (power range). Each measurement channel mainly includes the following two parts: neutron detectors and processing modules. The processing module can adjust and process the signals generated by the neutron detector and provide the required data and standard signal interface for the downstream.

Fig. 3. Schematic diagram of detector cabinet layout

2.2 Analysis of RPN System Layout Characteristics 2.2.1 Environmental Analysis and Installation Requirements The CPR project measured the external electromagnetic interference of RPN system, and the measurement was mainly carried out along the cable path of two source range channels. There is much electrical equipment along the RPN system source range signal link, such as: large cabinets, uninterruptible power supplies, air conditioners, lighting equipment, etc. Although these equipment have been identified by EMC, they are limited to the site space, and it is not clear whether superimposed electromagnetic interference will occur due to the proximity of the equipment. Electromagnetic disturbance caused by field strength measuring instrument to space electromagnetic environment and electrical equipment. The current probe and spectrum analyzer are used to test the electromagnetic disturbance radiated outward through the cable connected by electrical equipment (Fig. 4). Through the on-site survey and electromagnetic environment detection of RPN Source Range Channel, it is preliminarily concluded that:

568

J. Li et al.

Fig. 4. Measuring the power input line of energy-saving lamp with current probe

(1) RPN cables pass through the room of reactor building, connection building and electrical building, and there is relatively large electromagnetic interference in some areas. (2) There are significant differences in electric field emission intensities of electrical equipment around cable route. (3) The electromagnetic disturbance caused by some electrical equipment is relatively strong, Energy-saving lamps are a main source of electromagnetic disturbance in the unit, and the corresponding suppression measures are not in place. In addition, the electromagnetic emission of energy-saving lamps exceeds the requirements of GB17743 in some frequency bands [5]. (4) The grounding and shielding measures for some cables, trays and penetrations are not in place. To sum up, although it is said that individual equipment and cables meet the technical requirements of EMC electromagnetic compatibility, due to the existence of connectors, there are weak links in signal connectors, especially those frequently touched in the process of installation, debugging, maintenance and testing. Acceptable installation technical requirements shall be formulated for each link. The installation technical requirements shall involve the following contents: a) b) c) d) e) f)

Laying of cables in the instrument vertical shaft/shaft; Installation and wiring of neutron flux rate detectors; Cables between the cabinet and the neutron flux rate detector; Production of various connectors; Connection of cables in electronic cabinets; Continuity requirements for cable trays.

Research and Application of Nuclear Instrumentation System EMI Design

569

2.2.2 Grounding and Shielding Issues Grounding and shielding measures can effectively protect the electrical system from the influence of external electromagnetic noise and greatly improve the electromagnetic environment adaptability of the electrical system. Proper grounding and shielding measures can also effectively suppress electromagnetic disturbance generated by the electrical system itself. Good grounding can provide lower grounding impedance, which is an important factor to ensure shielding effectiveness of shielding layer. However, in the process of RPN field measurement, it was found that there were many problems in grounding and shielding of shielded cables, cabinets, pallets and penetrations in the unit. The main manifestations are: (1) When the shielded cable is terminated, the shielding layer is discontinuous. (2) The tray is interrupted, resulting in discontinuous shielding layer. It may cause external electromagnetic disturbance to enter the electrical system through the fracture of the shielding layer, and the electromagnetic disturbance generated by the electrical system itself radiates outward through the fracture of the shielding layer. (3) The lack of overlapping measures for pallets leads to discontinuity of pallets (shielding layer) at overlapping points and large gaps. A gap of a certain length can be considered as a receiving or transmitting antenna, which can receive external electromagnetic disturbance or transmit the electromagnetic disturbance carried by it. (4) No shielding material is used at the gap of the cabinet. The rectangular slot of the cabinet can serve as a receiving or transmitting antenna for electromagnetic disturbance, which is not conducive to improving the adaptability of the cabinet to the electromagnetic environment [6]. 2.2.3 Isolation Between Interference Source and Transmission Path The RPN path has a long trace, from the perspective of electromagnetic compatibility, it can be considered that the RPN path is the “transmission path” to receive electromagnetic disturbance. No matter in theory or in engineering practice, it is required that the high-intensity electromagnetic noise source and the "transmission path" for receiving electromagnetic disturbance should be separated from each other in space. However, in the actual implementation process on site, it was found that the interference sources in some rooms were close to the trays of RPN system, which did not meet the requirements of isolation [7].

3 Analysis of Identification Standards for RPN Detectors 3.1 Electromagnetic Compatibility Standards Commonly Used in Nuclear Power Plants The standards generally referred to for equipment with different safety levels in nuclear power plants are shown in the following Table 1. Safety-level equipment mainly refers to RG1.180 and IEC 62003 for electromagnetic compatibility tests, while non-safetylevel equipment reference standards are more diversified than safety-level. It can refer

570

J. Li et al.

to special product standards, product standards or general standards for electromagnetic compatibility tests, but the specified test items and test grades are roughly same. The main reference standards are GB 11684 [8], IEC 61326 [9] and IEC 61000-6 [10]. Table 1. Reference standards for EMC tests commonly used in nuclear power plants Safety grade

Special product standard

Product class standard

General standard

Basic standard

Safety level

RG1.180 IEC62003

–

–

IEC61000-4 MIL-STD-461E

Non-safety level

–

GB/T 11684 IEC61326

IEC61000-6-2 IEC61000-6-4

IEC61000-4

3.2 RPN Detector Evaluation Requirements The electromagnetic compatibility test of RPN detector needs to be carried out together with secondary instrument and transmission cable. The specific test method can refer to IEC61000-4. Acceptance basis: The test acceptance criteria for detector components are that after the detector components are connected with secondary instruments and transmission cables, the overall test results meet the electromagnetic compatibility requirements of the cabinet. At this stage, the Electro Magnetic Compatibility of RPN system electrical equipment mainly depends on two measures: (1) When the equipment is delivered, the equipment supplier shall provide the EMC test qualification report; (2) Carry out “Nuclear Instrumentation Anti-Noise Test” on site. The EMC test report provided by the equipment supplier of CPR1000 project is based on IEC61000-6 series, and IEC61000-6 series standard is a general standard in the field of EMC. The requirements of this series of standards are made under general conditions. The specified electromagnetic emission limit is relatively high and the electromagnetic immunity test level is relatively low. Therefore, equipment conforming to IEC61000-6 series of standards is not necessarily applicable to the electromagnetic environment in the nuclear island. For example, in IEC61000-6 series standards, for the test grade of electromagnetic radiation immunity, the standard only requires 10 V/m, and the frequency range is limited to 80 MHz–1000 MHz; For the electrical fast transient burst immunity test, the test grade is specified to be only up to ±2 kV. Moreover, the standard is applicable to all electrical equipment working in an industrial environment. It can be seen from this that the terms in IEC61000-6 series standards are only applicable to general conditions. For Nuclear Island, the best treatment measure is to compile a targeted Electro Magnetic Compatibility test outline in combination with the monitoring data of the electromagnetic environment on the nuclear island. Only electrical equipment that meets the test requirements of the Outline can be used on the island.

Research and Application of Nuclear Instrumentation System EMI Design

571

3.3 RPN Cabinet Qualification Test The following table provides which tests have been carried out and the accepted performance standards (Table 2): Table 2. Cabinets test items Test items

Test parameters

Reference standard

Test grade Performance criteria

Electro Static Discharges Immunity Test (Contact Discharge)

Contact IEC 3 Class Discharge ± 4 61000-4-2:2001 kV

A (±4 kV)

Electro Static Discharges Immunity Test (Air Discharge)

Air Discharge ± 8 kV

IEC 2 Class 61000-4-2:2001

A (±8 kV)

Radiation Immunity Test for Radio Frequency Electromagnetic Fields

80–1000 MHz IEC 3 Class 61000-4-3:2002

A (10/Vm)

Electrical Fast Transient Burst Immunity Test

5/50 ns, 5 kHz IEC 3 Class 61000-4-4:2004

A (I/O ± 1 kV) (Power Supply: ± 2 kV)

Immunity to conducted disturbance induced by radio frequency field

0.15–80 MHz

A (10 V)

IEC 3 Class 61000-4-6:2006

Note: Performance Criteria A, during and after the test, the instrument (equipment) shall be continuously operated in a predetermined manner. When the equipment is used in the predetermined way, its performance degradation or loss of function is not allowed to fall below the performance level specified by the manufacturer [11]

4 Conclusions The improvement of EMC characteristic design for nuclear instruments is a systematic project. The research in this paper shows that electromagnetic compatibility design must be added from the top-level design of the system. Through equipment design to meet the requirements of RPN signal detection equipment and cables on electromagnetic environment; verify the requirements of the cabinet for electromagnetic environment through equipment identification and other means; the stability of the signal link is improved by installing technical requirements. Combined with RPN layout scheme and project engineering experience, formulate EMI protection requirements and implementation measures that can be implemented on site. And strengthen daily supervision to ensure that the system is in a healthy and stable operation state under good environmental conditions to ensure continuous and stable production of nuclear power plants.

572

J. Li et al.

References 1. IEEE ST-D323-2003 Standard For Qualifying Class1e Equipment for Nuclear Power Generating Stations. IEEE, New York (2003) 2. Jian-Wen, Q., et al.: Tactics and challenge to electromagnetic compatibility in nuclear power plant. Atom. Energy Sci. Technol. 43(Suppl.), 360–363 (2009) 3. Xing-Qiang, L., et al.: Analysis and solution of spike current of intermediate range for nuclear instrumentation system. Nucl. Power Eng. 36(1), 104–107 (2015) 4. Wen-Jun, H., et al.: EMC test and design of I&C system in nuclear power plants. Nucl. Power Eng. 29(3), 85–88 (2008) 5. GB/T 17743-2017 Limits and measurement methods for radio harassment characteristics of electrical lighting and similar equipment 6. RCC-E: Design and Construction Rules for Electrical Equipment of Nuclear Islands Section A: General and Quality Requirements (2005) 7. NB20161-2012 Installation and Commissioning Technical Guideline for Ex-Core Neutron Flux Measuring System for Pressurized Water Reactor of Nuclear Power Plants 8. GB/T 11684-2003 Electromagnetic Environmental Conditions and Test Methods for Nuclear Instruments. China Standard Publishing House, Beijing (2003) 9. IEC 61326-2002 Electrical equipment for measurement, control and laboratory use-EMC requirements 10. IEC61000-6-2-2005: Electromagnetic compatibility (EMC) - Part 6-2:Generic standards – Immunity for industrial environment 11. IEC61000-4: Electromagnetic Compatibility (EMC)-Part 4: Testing and Measurement Techniques (2000)

Research on the Design Improvement of Important Function Interface for Tripping and Load Rejection in Nuclear Power Plant Shan-Shan Gu1,2(B) , Bin Zeng1,2 , Heng Li1,2 , Li-Ming Zhang1,2 , and Hua-Qing Peng1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

China Nuclear Power Engineering Co. Ltd., Shenzhen 518172, China [email protected] 2 I&C Department, China Nuclear Power Engineering Company Ltd., Shen Zhen, China Abstract. In the early 1990s, PLC replaced the conventional relay control circuit, which was popular in various fields, and greatly simplified the control circuit of power plant. With the development of technology, all kinds of automation technology has been widely used in various industries. DCS gradually replaces PLC, which inevitably leads to various problems in practical application. This paper mainly from the controller configuration, logic function design and redundant fault-tolerant mechanism, introduces the problems in the transformation of the status quo in details. Through the comparative analysis and qualitative research methods, the paper analyzes the design of important functional interfaces of turbine trip and rejection in Nuclear Power Station, and gives solution to the problems of transformation. Keywords: Turbine trip and rejection · WATCH DOG · Redundant configuration · Default value

1 Introduction In the conventional island analog systems of Nuclear Power Station, the turbine trip and rejection signal logics are triggered when the turbine control system is failed or in other necessery operating conditions to achieve shutdowm protection [1], realized through PLC (Programmable Logic Controller) system with two sets of cabinets. The failure of PLC control system would lead to misoperation of shutdowm protection signal, the WATCH DOG module witch is internally configured and protection lost signal would act to avoid this circumstance. As time goes, PLC system played a crucial role since 1960s is technically inadvanced. At the same time, the reliability reduced with the service life becomes longer. 1.1 PLC Controller Configuration According to the function allocation of the PLC controller, it could be mainly divided into three parts as shown in the Fig. 1: the local control equipment, the PLC control cabinet and the third-party cabinet. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 573–581, 2021. https://doi.org/10.1007/978-981-16-3456-7_55

574

S.-S. Gu et al. PLC

Local cabinet

Feedback signal of normally triggerred

(CH.1)

Instrument

CPU WATCH DOG

CA

Actuator

Fault monitor

≥1 1~5V Transferred to 4~20mA

Fault monitor

(CH.2)

Third-party cabinet

WATCH DOG

CPU

Feedback

Feedback

Feedback

Feedback

Fig. 1. PLC controller configuration

• There are instruments and local cabinets in the first part. the instrument is responsible for measuring signals and transmits the signals to the local cabinet, in which an initial fault judgment would be made to detect whether the voltage and current of the received signal is within the measurement range, or to determine whether the signal in the channel can be sent and received normally. • In the PLC control cabinet, each of the two channels of the PLC control cabinet is equipped with a CPU (Central Processing Unit) controller to perform normal logic operations. WATCH DOG circuit is used to ensure the stable operation of the PLC control program and diagnosis the fault of the CPU, in addition to the self-diagnosis function, it would detect the signal of another channel and participate in the logic switching of the controller [2]. • In the third part, as shown in Fig. 1, the third-party cabinet that receives control commands from PLC and feedback whether the tripping signals are triggered normally. 1.2 Logic Function Design Generator Stator Cooling Water System (GST) depends on low conductivity water passing through the stator windings to cool the generator stator windings [3]. It is required that the quality, temperature, pressure, flow rate and other parameters of cooling water should meet the requirements of the generator, otherwise it would cause the turbine tripping protection signal to be triggered, cutting off the power oil and removing residual oil of the steam valve operation device of the turbine, finally making the steam valve quickly close under the action of spring. The turbine trip protection logic is in the Fig. 2, there’re two situations would lead to relay acting: a) One of the following conditions exits: Conductivity Fault, Hydrogen Pressure < 4 bar, Conductivity ≥ 1.8, Stator Water Flow High, Current ≥ 2350 A; b) Stator water flow low with the feedback signal of oil pressure information.

Research on the Design Improvement of Important Function Interface

575

Hydrogen Pressure d ˘4bar ı1.8

ı1

Relay Act

Stator Water Flow High g &

Relay Act

Current ı2350A Stator Water Flow Low Oil Pressure Low1 Oil Pressure Low2

Fig. 2. Turbine trip protection logic

When the trip command is issued, a feedback signal would be received from the third-party cabinet indicating whether the trip signal is normally triggered. If not, it means the protection is lost. The main reasons for the loss of protection are channel fault when 2 of the 3 deviation signals exceed the limit and card fault. From Fig. 3 we can see, any one of the following 4 conditions would lead to protection lost: a) b) c) d)

Channel1 and channel 2 trip failure; Output Card fault; More than 2 Measured MD Signals/Deviation signal over Range; More than 2 Measured MI Signal/Deviation signal over Range.

1.3 Redundant Fault Tolerance Mechanism Redundant fault tolerance mechanism (single channel as an example): Three pressure signals (MP1/MP2/MP3) are sent from the local cabinet to the PLC control cabinet for logical operation. First of all, determine whether the signal is over-range. The signal judgement process and results can be seen in the Table 1, “1” means the signal is not over range, “0”means over range in columns 2–4 of the table. After the over-range judgment, the pairwise deviation calculation of three signals will produce three deviation signals (MP1/MP2/MP3). Firstly determine if the deviation signal exceeds 5% of the limit, the detailed results shown in Table 2, “1”means the signal is within limit, “0” means over limit in columns 2–4 of the table: Dual-channel redundant control logic: The above logical judgment process is carried out in channel 1 and channel 2 which are spare for each other at the same time. When one channel’s signal is not available through the logic judgment above, the another one would be put into operation automatically.

576

S.-S. Gu et al. Channel 1 Relay not Act &

Oil Pressure not Low

Channel1 trip failure

&

GST Trip Command1

Channel 2 same as Channel1

Channel2 trip failure

≥1

ProtecƟon Lost

Output Card fault ≥2 Measured MD Signal/DeviaƟon signal over Range ≥2 Measured MI Signal/DeviaƟon signal over Range

Fig. 3. Protection loss logic

Table 1. Pressure signal judgement process and action No

MP1

MP2

MP3

Logic operation

Action

1

1

1

1

Normal

Normal

2

1

1

0

Abnormal

3

1

0

1

Abnormal

4

0

1

1

Abnormal

Take the last time effective value of the signal over range and send alarms at the same time

5

1

0

0

Abnormal

6

0

1

0

Abnormal

7

0

0

1

Abnormal

8

0

0

0

Abnormal

In Fig. 4 above, each channel equipped with one CPU, the two channels are standby for each other.

2 Problems Existing in Digital Transformation of DCS The digital transformation adopts DCS (Distributed Control System) system with double CPU redundant configuration and rich self-diagnosis function, generally making use of the characteristics of the DCS platform by improving the interface signal configuration and signal fault detection mechanism [4], setting the default value and other ways to

Research on the Design Improvement of Important Function Interface

577

Table 2. Deviation signal judgement process and action No

MP1

MP2

MP3

Logic operation

Action

1

1

1

1

Normal

Average three signals

2

1

1

0

Normal

3

1

0

1

Normal

Logic degradation, average two signal within limit

4

0

1

1

Normal

5

1

0

0

Abnormal

6

0

1

0

Abnormal

7

0

0

1

Abnormal

8

0

0

0

Abnormal

Take the effective value of the last time of the signal over limit and issue an alarm at the same time

PLC

(CH.1)

CPU

≥1

(CH.2)

Third Party Cabinet

CPU

Fig. 4. Dual-channel redundancy control diagram

realize the improvement of important interfaces and control systems for turbine trip rejection, improving the reliability and availability of the unit. The following parts put forward a set of solutions for digital transformation by analyzing the settings of the redundant design and logic degradation based on the original situation of Nuclear Power Station combined with the characteristics of current DCS platform. • Fault monitoring mode: After the transformation of DCS, there are differences in hardware fault monitoring mechanism, WATCH DOG function is cancelled. When the PLC system fails, WATCH DOG module would block trip and rejection signals in order to prevent the false triggering of the protection signals. In addition, it would also issue AA/EC alarms to remind the operator of the PLC controller fault. • The third-party cabinet: With the synchronous transformation of the third-party cabinet, there is no feedback signal indication if the trip signal is normally triggered. • The number of trip and rejection signals: Turbine trip and rejection signal is issued not only by GST system, but also by other 2 systems related to the control of turbine

578

S.-S. Gu et al.

trip and rejection. There are total of 12 signals that any one triggered would cause a trip. Therefore, it is a high risk for false trigger of trip signals. • The number of trip and rejection signals: Turbine trip and rejection signal is issued not only by GST system, but also by other 2 systems related to the control of turbine trip and rejection. There are total of 12 signals that any one triggered would cause a trip. Therefore, it is a high risk for false trigger of trip signals.

3 Composition of Digital Transformation 3.1 DCS Controller Configuration As described in the Fig. 5, the local control configuration remains unchanged. The PLC control part would be changed to dual-channel each with dual-CPU instead of dual-channel each with one CPU [5]. PLC

Local cabinet CPU1

(CH.1)

Instrument

Actuator

CPU2

IO transfer

≥1

Third-party cabinet

CPU1

(CH.2) CPU2

Fig. 5. DCS controller configuration

3.2 Default Value Implementation Without WATCH DOG module, DCS controller performs fault diagnosis via signal quality judgement and setting default values [6]. The signal quality judgment mainly contains two parts: channel faults and module faults, as shown below in Fig. 6: • Channel faults: there are signal over range, channel short circuit, open circuit and other faults in the signal transmission channel. • Module faults: there are CPU module, I0 module, storage module, etc. Besides, the thermocouple cold junction failure, contact jitter can also trigger quality signal.

Research on the Design Improvement of Important Function Interface Over range

thermocouple cold juncƟon failure

Short/ open circuit

contact jiƩer

. . . . . .

579

Channel faults

Power supply fault

Signal quality judgement

Signal link fault between IO module and DCS . . . . . .

Signal quality

Module faults

IO module fault

Fig. 6. Signal quality trigger logic

3.3 Logic Optimization of Turbine Trip and Rejection Signals (GST System) The trip action feedback relay which works in the trip protection logics would be cancelled, and the trip feedback function would be replaced by the signal acquisition records from the third-party cabinets to DCS. The failure of the original card output involved in the protection loss logic would be replaced by the default value of DCS output. From Fig. 7 we can see, any one of the following 2 conditions would lead to protection lost [7]: a) More than 2 Measured MD Signals/Deviation signal over Range and the related signal quality information; b) More than 2 Measured MI Signal/Deviation signal over Range and the corresponding signal quality information.

Signal quality ≥2 Measured MD Signal/DeviaƟon signal over Range

& ≥1

Signal quality ≥2 Measured MI Signal/DeviaƟon signal over Range

&

Fig. 7. Optimized protection lost logic

ProtecƟon Lost

580

S.-S. Gu et al.

In order to simplify the logic and reduce the failure points [8], the 12-way trip signals are optimized to 6-way trip signals in the two channels of the third-party cabinets, and 2 out of 3 trip signals are selected respectively, details as follows (Fig. 8):

Fig. 8. The optimization of trip signal’s number and control logic

4 Results As mentioned above, the original control system has a series of problems, which can be solved through transformation. But the transformation is also accompanied by new problems. For this reason, we mainly construct the solution from three aspects: control mechanism, default value setting and logic optimization. a) Control mechanism: From this aspect, dual channel, dual CPU and independent trigger mode are adopted in the transformation. One failure will not affect the normal operation of the other. Just as the original watchdog was triggered by a single PLC controller fault, it will lock all turbine trip and reject signals in case of a fault. Therefore, compared with the original design, the reliability and safety have been greatly improved. b) Default value setting: After optimization, the fault default value (quality bit signal trigger) is used to trigger important signals such as turbine trip and load rejection, and the logic function completely covers the function of WATCH DOG and the locking signal due to the card failure. c) Logic optimization: The more the number of signals, the more risk of problems. In other words, the number of fault points is positively correlated with the number of IO points. In order to reduce the failure point, the 12-way trip signals are optimized to 6-way trip signals, which would obviously lower down the probability of turbine trip and rejection and improve the reliability of unit.

Research on the Design Improvement of Important Function Interface

581

5 Conclusion The original control system has no IO self-diagnosis function and CPU has no redundant configuration. With the service life of the unit getting longer and longer, the cabinet module is aging and the spare parts are insufficient. Through the transformation, the above problems have been solved, the central processing unit, network and power supply of DCS of each unit adopt redundant configuration. At the same time, DCS fault diagnosis mechanism is more systematic and comprehensive than the original PLC, which greatly improves the safety of control system. In addition, DCS itself is convenient to establish a united database, which is conductive to better automatic control and data acquisition of the whole power plant, improve the automation management level of the unit and reduce the burden of operators.

References 1. Wei, S., Huan-Xin, Z., Zhi-Wu G.: The comparison of interlocking logic in the DCS between reactor and turbine trip, Chin. J. Nucl. Sci. Eng. (12), 68–73 (2010) 2. Hang, L., Yi-long, G., Yu-Liang, L., Guo-dong, Y.: Design on practical watch-dog circuit. Coal Mine Mach. 04, 30–32 (2010) 3. Yu, H.: Devices and Systems of 900MW PWR, pp. 509–511. Atomic Energy Press, Beijing (2005) 4. Jian, L.: Analysis on DCS signal quality bits and default values in NingDe nuclear power station. Technol. Dev. Enterp. 11, 58–60 (2017) 5. Lian-Jun, X.: Research and Implementation of Dual-CPU redundancy communication and control system, Master Thesis Xidian University, no. 1 (2011) 6. Shao-Wei, W., Gong-Jie, L., Wei, S., Yong, T.: Default value realization research of CPR1000 safety classified DCS platform. J. Mech. Electr. Eng. 1, 100–104 (2017) 7. Li-Cheng, Y.: Optimization and improvement of protection logic for turbine of 300 MW unit. Electr. Power Constru. 6, 37–39 (2002) 8. Zu-Xiang, Z., Jun, Z.: Effects of dial number and signal interval on supervisory performance. Chin. J. Appl. Psychol. 3, 3–7 (1997)

Closed-Loop Management Optimization of Technical Change in PWR Nuclear Power Plant Min Long(B) , Fang Li, and Li-Chuang Tian Start-up and Commissioning Center of China Nuclear Power Engineering Co., Ltd., Shenzhen 518124, Guangdong, China [email protected]

Abstract. In the process of construction and commissioning of million kilowatt pressurized water reactor (CPR1000), due to design optimization or technical parameter adjustment, there will be a certain amount of technical changes. Technical changes are generally completed and closed by different departments of the construction unit through four steps such as design, distribution, implementation and reappraisal. The process of technical changes is complex. The amount of coordination work between relative departments is large, so that the technical changes have shortages of reissue, missing, missing implementation, missing reappraisal, etc., which grows the risk of the safe and stable operation of the unit. By studying the optimization of the management systems, the management systems would found the functions of automatic screening and filtering, which can automatically form the implementation and identification tasks. Furthermore the systems found relationships between the upstream and downstream, realize the visual query and tracking of the upstream and downstream related process, and realize the closed-loop management of the technical change process. Keywords: Technical change · Association · Closed –loop · Process

1 Introduction The technical changes of a million kilowatt class pressurized water reactor (CPR1000) unit include Design Evolution Notice (DEN), Component Intervention Notice (CIN), Field Change Request (FCR), Design Change Request (DCR) and Post EESR Change Follow-up Sheet (PECFUS).They are transferred among four departments named Engineering & Design Institute, Equipment procurement and supply Division, Construction Management Division and Start-up Department. Due to the different initiators and user objects, five kinds of technical changes are transferred and closed in two unrelated management systems [1]. DEN/CIN/FCR are initiated, circulated and closed in different modules of IMS-CA construction management system, and DCR/PECFUS are tracked and managed in the special module of IMS-SU commissioning management system. The above technical changes are processed through 2 management systems, 19 processes, 56 links and 111 options. As there is no correlation between the two management © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 582–588, 2021. https://doi.org/10.1007/978-981-16-3456-7_56

Closed-Loop Management Optimization of Technical Change

583

systems, the technical changes run parallelly and separately, and there are no real-time effective connections, which makes the responsible persons unable to trace the complete business chain of technical changes in the process. There are no chain closed-loop managements such as correlation tracking, mutual experience feedback, reappraisal and closing, which brings shortcomings such as leakages, errors, inefficiency to the management. In order to reduce the unit management risk introduced by the technical change management, through analyzing the defects of system modules, optimizing the correlation model of technical changes, building the interface between various processes, establishing the closed-loop management network of technical change processes, standardizing the process initiation, implementation, closing and other links, gradually found the closed-loop management of technical changes, and improve the efficiency of technical change management.

2 Existing Problems of Change Management During the construction, the average number of technical changes and defects generated by a single unit are more than 100,000. For the change of the same system in the same unit, because of the non association of the two management systems, only the responsible person can identify offline by referring several management systems to establish the relationship of technical changes. On the one hand, it takes long time to complete the task and close the technical changes, which will increase the risk of human error. On the other hand, it increases the rate of retransmission and missing reappraisal of PECFUS and false closing of DEN/CIN/FCR/DCR, which will lead to missing reappraisal of technical changes, and that will bring greater risks to the unit. According to statistics, the number of PECFUS missed to be issued or reappraisal in a unit without closed-loop management system is about 2500. Figure 1 shows the relationship between technical changes without closed-loop.

Fig. 1. Correlation between technical changes without closed-loop

3 General Introduction of Optimization Scheme 3.1 Overall Technical Scheme Firstly the basic data of the two management systems must be unified by transformation and optimization of each technical change module without changing the

584

M. Long et al.

user habit. Secondly, the closed-loop optimization is carried out to realize the function of DEN/CIN/FCR/DCR automatically triggering PECFUS task, and the active relationship between upstream and downstream processes is established. After that, the transfer association and the forced passive correlation and closed association of DEN/CIN/FCR/PECFUS are founded. Finally, the to-do tasks are automatically formed by establishing the association relationships between the two management systems, which can check the leakage and automatically be filled. Figure 2 shows the overall scheme of closed-loop management optimization of technical changes.

Fig. 2. Overall scheme of closed-loop management optimization for technical changes

3.2 Detailed Technical Scheme By optimizing the closed-loop management of technical change process, building the interface between technical changes, standardizing the operation mode of initiation, audit and execution of technical change process, the closed-loop management network of technical change process is established, and the functions of real-time viewing the upstream and downstream logical relationship between processes can be formed by using the visual grid function of management systems, which can effectively avoid missing trigger technical changes, that is beneficial to improve the quality of nuclear power plant, reduce the risk of leakage, and improve the safety of construction. 3.2.1 Unification of Basic Data Due to the different division of specialty among the four departments of Engineering & Design Institute, Equipment procurement and supply Division, Construction Management Division and Start-up Department, the code of the next level (i.e. subsystem code) of management systems are not completely consistent. For example, the Construction Management Division generally divides and transfers the subsystems according to the installation characteristics (maintenance or instrument) of the system, while the Start-up Department generally divides the subsystems according to the functional characteristics of the system and hand over to power station by the method of merging. The inconsistent dimensions of subsystem division lead to the failure to establish one-to-one correspondence relationship in the subsystem of management systems. In order to break the barrier of association, it is necessary to establish unified basic datas based on subsystem.

Closed-Loop Management Optimization of Technical Change

585

1) Establish the department relationship of basic data such as system and plant. For the same system or plant of the same unit, establish one-to-one corresponding logical relationship in the Design information system, IMS-CA construction management system and IMS-SU commissioning management system, and establish the unique upstream and downstream association relationship of system and plant code in the three management systems. 2) Identify the technical changes to which unit belongs. In the technical change process, the units, systems and subsystems are selected from the drop-down list for all initiating or effective links after management optimization, which can clarify the systems involved in the technical changes. 3) Data splitting of public X, Y and Z units. Generally, the construction progress of two adjacent units is quite different, so that the implementation and tracking methods of technical changes of public X, Y and Z units are different. In order to avoid that the technical changes of a unit is not implemented and been closed by mistake, the technical changes of X, Y and Z units are divided into two technical changes and tracked according to the each unit. Figure 3 shows the DEN splitting function of X, Y and Z units.

Fig. 3. Schematic diagram of DEN splitting function of X,Y and Z units

3.2.2 Closed-Loop Optimization of Process Through the combination of active association and passive association of technical changes, the association relationship of each technical change process will be established, so that the person in charge of technical change can query and export the business data related to other technical change process when operating in any process, then to realize the closed-loop tracking management of technical changes. Figure 4 is a schematic diagram of the relationship between technical changes that the system have found closed-loop management. 1) Passive Association: by means of mandatory specification of work sources, the association relationship is optimized by drop-down list selection and filling instead of manual filling, that will avoid the errors caused by manual filling, and ensure

586

M. Long et al.

the accuracy and uniqueness of the association relationship between upstream and downstream. 2) Active correlation: on the basis of passive correlation, 19 processes, 56 links and 111 options of design information system, IMS-CA construction management system and IMS-SU commissioning management system are sorted out one by one, and tree structures and net structures of the relationships between technical changes are analyzed and established, and new to-do task modules are developed, so that technical changes can be triggered directly to forms the to-do task after the approval of upstream system circulation and the downstream management system, and establish the relationship between upstream and downstream actively. At the same time, that can form linkage such as association reminder and association by combing and analyzing the relationship between the relative flow and closing of each technical change process.

IMS-CA

DEN

IMS-SU

DCR

CIN

FCR

Trigger closed on force

PECFUS Trigger closed

Fig. 4. Schematic diagram of the relationship between technical changes that the system have found closed-loop management

A project takes the lead in developing and applying the technical change closed-loop system. From the generation of defects to the publication of change documents, a series of on-site execution process is triggered, and finally the implementation and reappraisal is completed. The whole process is associated and closed-loop, and the visualization of the process is realized, which greatly improves the management efficiency. The following Fig. 5 is taken as an example. The owner proposes to modify the position of 4ATE instrument, the engineering designer publishes the change document to solve the problem (DEN), the construction department issues the work order (AWN) to the site according to the DEN, the contractor applies for the work permit (work ticket) to the commissioning department, and the commissioning department initiates the reappraisal tracking process (PECFUS), and the process is interlocking, it break the management barriers between the previous processes and departments. 3.2.3 The System Automatically Check and Fill the Leakage PECFUS, as a reappraisal and tracking process after change implementation, is the last barrier to ensure that on-site changes have been executed accurately and avoid missing reappraisal at the nuclear power plant site.

Closed-Loop Management Optimization of Technical Change

587

Fig. 5. Example of technical changes by closed-loop management optimization

Before the optimization of the management system, PECFUS can only be initiated and managed by manual debugging of the two management system to regularly comb the upstream changes (DEN/CIN/FCR) and PECFUS, which is difficult and inefficient, but also the error prone rate is high, and the risk of PECFUS missing and resending is very high. PECFUS process center is developed by the optimization. The module can automatically identify the changes of PECFUS not initiated in IMS-CA construction management system, then generate to do in IMS-SU commissioning management system. The person in charge of the task just click the key to form the task. At the same time, when PECFUS is initiated, the management system will automatically bring out the unit, system, change description, upstream change attachment information related to the change, and the person in charge of the task does not need to manually fill in or upload the attachment, which greatly improves the efficiency.

4 Implementation Effect Since online operation, it has completed the establishment of logical association relationship of business data of more than 300,000 processes (including remaining items and technical changes) of units 4, 5 and 6 of a project, 22,300 PECFUS have been automatically formed, and 79,899 technical changes have been disposed. The relationship between changes and defects and work orders have been established, all the work permit process is “based on evidence”. The visualization of correlation and closed-loop greatly facilitates the efficiency of technical changes management. The following table

588

M. Long et al.

shows the comparison of PECFUS process time effectiveness data between unit 3 (before optimization) and unit 5 (after optimization). Table 1. The comparison of PECFUS process time effectiveness data Project (including on-site Before optimization After optimization Rate of efficiency growth treatment time) Average PECFUS processing time

30D

22D

27.2%

DEN/CIN/FCR Average flow time

41D

27D

33.7%

The closed-loop management system of technical changes breaks the data communication barrier of different types of work in nuclear power project, and the interface between upstream and downstream of each department, establishes the logical association relationship, realizes the visualization query and tracking of the upstream and downstream change association process, and effectively avoids the problems of technical changes reissue such as missing implementation and missing reappraisal. Through the optimization of management system, the process efficiency of technical changes and the efficiency of personnel is significantly improved, which guarantees the safe and stable operation of the unit. After the optimization of the management system, the process efficiency of single change item is increased by 30.4% on average. According to the total number of changes of a single unit and the process time of a single change process (excluding the on-site working time) is 7 h (about 7 processes link on average), that means 168,000 man-hours can be saved, and the labor cost is about 32.87 million based on the cost of 500,000 RMB per man-year, and good economy is obtained.

5 Conclusion The closed-loop management system optimization of technical changes studied in this paper improves the process quality and efficiency of technical changes, and found the requirements of closed-loop management of changes. With the successful operation in the first unit, this optimization project has been transplanted to other new nuclear power unit. In addition, the concept and train of thought of the closed-loop management of technical changes will be of practical reference for management system of intelligent nuclear power projects and the processes in the Internet plus situation.

Reference 1. China Nuclear Power Engineering Co., Ltd.: China’s Independent Support Project For Million Kilowatt Calss Nuclear Power Station-Innovation and Management of Ling’ao Nuclear Power Plant Phase, pp. 245-247. China Power Press, Beijing (2013)

Research on the Application of STPA Method in Reliability Analysis of Safety Spray Control in NPP You-Ran Li(B) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen, China [email protected]

Abstract. In order to ensure the safe and stable operation of nuclear power plant (NPP), the safety reliability analysis is necessary. The safe spray control system is an important engineered safety features system which is use in the accident about containment over-temperature, over-pressure. The article gives an research on the system theoretic process analysis (STPA) methods for the reliability analysis of the safety spray control system function. It helps to find out the potential factors effect for the safety function of the spray control and provides some suggestion to improve the system reliability and the station safety operation. This is the good experience and new demonstration for the STPA application and is benefit to the following project practice in NPP. Keywords: System Theoretic Process Analysis (STPA) · Safe spray control · Reliability

1 General With the continuous development of nuclear power technology, the safety and reliability analysis is important to ensure the safe and stable operation of power stations. In recent years, it has become the focus of attention and review by domestic and foreign evaluation units. Especially for the digital control system DCS with relatively little application time and experience in the field of nuclear power, it is an important equipment for power station control and monitoring. Therefor it needs to research on the applicable reliability analysis method for the important safety control system and functions of Nuclear Power Plant (NPP) [1]. This article gives an application of system theoretic process analysis (STPA) methods for the reliability analysis of the safety spray control system function. It is not only used to solve the specific engineering problems of nuclear power, but also opens up a new direction for reliability analysis and application. And, it has a great significance to improve the stable and safety of nuclear power units.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 589–598, 2021. https://doi.org/10.1007/978-981-16-3456-7_57

590

Y.-R. Li

2 The Characteristics of STPA Method Compared with traditional reliability analysis methods such as Fault Tree Analysis (FTA) [2] and Failure Mode and Effects Analysis (FMEA) [3], STPA is a new reliability analysis method to establish a refined model for complex systems. Through the systematic STPA analysis, it can finds these dangerous control actions or equipment failures which may is not conducive to safety and lead to unexpected losses under the different operating conditions of the NPP [4]. These dangerous behavior is not only limited to equipment failure, but also includes other unforeseen adverse factors. Therefore, STPA method is conducive to expanding the scope of reliability analysis, especially for the safety function of DCS systems. It is helpful to analyze the influence of relevant personnel, equipment and environment in the whole accident process, and to establish the relationship between upstream and downstream.

3 The Reliability Analysis of the Safe Spray Control The safe spray control functions for containment is one of the important actions in the engineered safety features system. It is used for the accident about containment overtemperature, over-pressure and it is useful to reduce the concentration of radioactive material. Injecting NaOH into the spray solution is used to reduce the concentration of iodine which is the radioactive fission product possible in containment. It helps to limit the radioactive consequences of the accident released outside containment [5]. 3.1 The Engineering Problem of Spray Control Taking an engineering project as an example, this article analyzes the control requirements of the NaON isolation valve of injection pipeline in the safety spray system. The NaON isolation valve equipment 001VR/002VR/003VR is required to be in different control states at different operation stages: – During the normal operation, the control requirement is that 001VR keep on, and 002VR and 003VR keep closed. – In the case of LOCA accident when the spray control system needs to be started, 002VR and 003VR are required to be opened. And NaOH inject into the spray solution in this time. – After a period of time, the spray function has been executed, and the liquid level of the storage tank of NaOH solution drops to the low limit position. The Valves of 001VR, 002VR and 003VR must be closed to prevent air from entering the safe spraying pipeline. For the third state, if these valves are refused to close because of some control failure at this time, it is possible that air will enter the safe spray pipeline and the safe spray pump may be damaged by the occurrence of cavitation. If the pump fails, the spray function will be completely loss, which will affect the heat removal and the containment integrity in the later stage of the accident [6].

Research on the Application of STPA Method

591

Fig. 1. The simple diagram of safe spray system

Therefore, it is necessary to carry out reliability analysis for control of the NaON isolation valve. It will help to find the weak links that may cause the control failure or the function not to be implemented effectively, and then give some improvement suggestions about that. 3.2 Reliability Modeling Based on STPA Method For the above engineering problem of valve control, the reliability analysis will be carried out according to STPA method with the following steps [7]: Step 1: Identify System Boundary It is the reliability analysis for control of the NaON isolation valve, so the main scope of analysis should include the isolation valves 001VR/002VR/003VR, the liquid level sensors of the storage tank of NaOH solution and the control system of the safety spray function. Considering the effect of control failure, all the equipment and pipelines related to the spray pumps need to be included in this analysis. Step 2: Identify Accidents or Losses According to the purpose of the analysis, it needs to find the impact of the NPP based on the failure of rejection control of the NaON isolation valve. So the unexpected accidents and losses for this analysis list as follows: – A1: Environment contaminated and People exposed to radioactivity – A2: Safety function failure – A3: Equipment damage.

592

Y.-R. Li

Step 3: Identify System-Level Hazards Which hazards will lead to the accidents or losses in step 2? This step will identify the system-level hazards from the scope mentioned in Step 1. And it is list as follows (Table 1): Table 1. The system-level hazards VS. accidents or losses Accidents or losses Hazards

H1

Reactor exceeds limits, radioactive material release

H2

The failure of the safety spay system function

H3

Refuse to close of the NaON isolation valve

A1

A2

A3

Environment contaminated and People exposed to radioactivity √

Safety function failure

Equipment damage

√

√

√

√

√

Step 4: Draw the Control Structure Based on the system boundary in step 1, the control structure of the safety spray NaON isolation valve will be drawn with the STPA method which is showing in Fig. 2. Step 5: Create Process Model(s) At the system level shown in Fig. 2, there are two basic “controllers;” one is the manual control by operator and the other is the automatic control by the control system. The controllers and their process models are represented in Fig. 3 which shows the relationships between the control actions, the process model variables and the process model states. Step 6: Identify Hazardous Control Actions Following it needs to identify the main control actions and then select the hazardous control actions. First, there are four control actions (CA1–CA4) showing in the control process model of Fig. 3. According to the object and purpose of this analysis, CA3 and CA4 for the actions of valve control are the focus of attention. The control actions and the related variable of process model are listed in Table 2. Then, identify hazardous control actions. From the analysis of step 2, the unexpected accidents and losses is based on the failure of rejection control of the NaON isolation valve. So the hazardous control action is CA4-refuse to close. According to the action CA4 for multiple combinations of process model variable, states, signals and control modes, the full analysis have been consolidated and identified whether it is hazardous

Research on the Application of STPA Method

593

Fig. 2. The control structure diagram of NaOH isolation valve

and the STPA worksheet need to be completed. When there are more combination for this action, the number of contexts to be evaluated can grow significantly, thus the follow table just shows an example for the STPA analysis result. The format of each hazardous control action should follow the structure presented in the Table 3. Step 7: Identify Potential Causes of Hazardous Control Actions Combining with the analysis of step 6, it could be screened out the hazardous control actions with the most serious consequences. For the hazardous control actions, it needs to consider each of the control flaws presented in Fig. 1. Throng the STPA analysis, establish the direct connection between the hazardous control actions and any potential cause. It should more intuitive to analyze the effect of the equipment failure, human failure, control system failure etc. The following table gives an example for the potential

594

Y.-R. Li

Fig. 3. The control process models of NaOH isolation valve Table 2. The control actions and the process models Controller

CA3 ON command of the valve

CA4 OFF command of the valve

Next controller or control process element Process model variables

States of process model variables

Control signals acquisition and processing

Liquid level is normal

Out of control command

Valve ON

Feedback signals of control equipment

Valve OPEN

Control signals acquisition and processing

Liquid level is below limit

Out of control command

Valve OFF

Feedback signals of control equipment

Valve OPEN

Liquid level is above limit

Valve CLOSE

Valve CLOSE

……

19

18

17

……

……

2

1

Row

(or Accident)

Normal

Conditions

Plant

Yes

Yes

Yes

No

Yes

No Response

Yes

——

H2 H3

H3

H2 H3

The valve mistake to close and loss the

refuse to act.

Wrong control command but the valves

NaOH solution.

The valve mistake to close and loss the

——

Comments

(or Above) OFF

Yes

Yes

OPEN

CLOSE

Yes

Yes

CLOSE

OPEN

No

Yes

Yes

Yes

——

H1/H2/H3

H3

H1/H2/H3

——

damaged by cavitation.

Valves refuse to close, and pump is

No control but the valve mistake to close.

cavitation.

NaOH solution.

CLOSE

OPEN

CLOSE

Hazardous?

Hazardous? Yes

Related Hazards

Is CA Behavior

Already

Is Situation

No control but pump is damaged by

ON

OFF

ON

OPEN

Equipment states

Feedback of Control

valve

Analysis Results

H3

Refuse to Close of the NaON isolation

Function

The Failure of the Safety Spay System

Material Release

Reactor Exceeds Limits, Radioactive

Automatic)

Below

Control Command

(Is CA Behavior Hazardous?)

H2

H1

(or

Manual

Normal

signals

Control

The close action of NaON valves

Manual Control System / Automatic Control System

The valves are not closed in time (rejection action) when needed

CA4

Process Model Variables

Control Mode

Postulated Behavior

Control Action

Controller

Table 3. The STPA results for hazardous control action

Research on the Application of STPA Method 595

596

Y.-R. Li

cause analysis with one of the hazardous control action from step 6, and it will make the corresponding protective measures easy to track (Table 4). Table 4. The potential causes of hazardous control action Hazardous Control control mode actions

Primary causes

Potential causes

No. 17

Have no control command

Human factors

Manual

System level

Control system

Equipment level Operator Sensor misjudgment

Display equipment of states

Optimize procedures

Operator miswork

Control mode

Operation time

Strengthen operator train

Failure of the manual controller

Hardware ——

Failure of Hardwire the command transmission Failure of the command output No. 19

Manual

No. 25

Automatic …

Have Equipment Valves control refuse to command, close but no action

…

Protective measures

…

——

Redundant controller Provide reliability performance

Output component ——

Reduce the failure rate of equipment

Failure of the valve actuator

Power supply, air supply, mechanical part, etc.

Redundancy and diversity reduce Common Cause Failures

…

…

…

Step 8: Apply the Results From the whole analysis of step 7, the potential causes of hazardous control action mainly include: – The failure of human factors, control system and valve equipment in manual control mode. – The failure of control signals, control system and valve equipment in manual control mode.

Research on the Application of STPA Method

597

Combined with the current design, the application situation for each cause is analyzed as follows: – For the valve equipment, NaON isolation valves have one pneumatic valve and two electric valves. The redundancy diversity configuration could reduce common cause failures in the same time. – For the control system, the valve control is the safety function in the protection system. The safety DCS platform has the multiple redundancies structure to ensure the high reliability of the control system. The output component is the key part in the control system, and it is configured separately for each valve. So one component failure could not case the fault of all the valves [8]. – For the control signals, the automatic control command come from the signal of liquid level sensors, and the automatic control command from the operator also need the monitoring signal of sensor to decide. So the control signal is the key factor. – For the human factors, it is the key factor in the manual control mode. There are many cases of human failure, such as the environment, management etc. And the most related to the operator control is the operation procedure which affect the operator actions directly. So the reasonable procedure is the key part of human factors of manual control. Considering the manual control is the backup means of the automatic control, the manual control also is the last defense line for the control function. 3.3 Improvement Suggestions Based on STPA Result In order to find the weak links of the safety spray function and improve the reliability of the NaON isolation valve control, it needs to consider the engineering implement feasibility of the key factors. For the signals factors, the main equipment sensors reliability is accordance with produce type and performance. So the reliability is not easy to promote that dependent on the technology development. For the human factors, the key part is the operation procedure which still has the space to improve for NaON valve control. Because there is no requirement to verify the state of the valves after the close command with the low level of the NaOH tank, the operator only consider for the manual control according with the low level. If add an verification of all the valves states during the automatic control, the operator could discover the failure promptly and send out the manual control command in time. In view of the above analysis, each factor should consider with the related protective measures, but the improvement of the operation procedure is easier and cheaper to achieve than others in the application of the engineering.

4 Conclusions This article studies the application of STPA method in reliability analysis of safety spray control in NPP. With the steps of STPA method, it could find out the potential factors

598

Y.-R. Li

effect for the safety spray control and then provide some improvement suggestion which is helpful to the system reliability and the station safety operation. From the characters of STPA method, it is conducive to establish the comprehensive model for the reliability analysis. However the more detailed the factors are, the larger the model will be. It requires the necessary tools to optimize and promote the development of the engineering application in the further.

References 1. Guang Dong Nuclear Power Training Center: 900 MW Pressurized Water Reactor Nuclear Power Plant, pp. 286–294. Atomic Energy Publisher, Beijing (2005) 2. Kuo, W.: Reliability and nuclear power. IEEE Trans. Reliab. 60(2), 365–367 (2011) 3. Garrick, B.J., Kaplan, S.: Reliability technology and nuclear power. IEEE Trans. Reliab. 25(3), 151–157 (1976) 4. Electric Power Research Institute: EPRI Project Manager R. Torok. Hazard Analysis Methods for Digital Instrumentation and Control Systems 6, 207–224 (2013) 5. Zasshi, S.: Journal of the Food Hygienic Society of Japan. Chung, J.N., Loyalka, S.K.: Effectiveness of containment sprays systems 47(1), 1–8 (2006) 6. Zhang, L., Zhou, Q., Chu, Z.-H.: Analysis of the safety spay pump for 100MkW PWR nuclear power plants. Gener. Mach. 02, 77–83 (2012) 7. Leveson, N.G.: An STPA Primer. Cambridge, MA (2013) 8. Wang, B., Zhang, H., Zuo, X.: The performance evaluation and reliability analysis for DCS in service. Autom. Petro-Chem. Ind. (2009)

Study for Reliability Analysis of Operator Response Process Under IBLOCA Accident in Nuclear Power Plant Zhi-Hui Xu, Jie-Mei Zhang, Xue-Gang Zhang, Ming Jia, De-Song Su, and Hua-Qing Peng(B) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China

Abstract. The reliability of the operator’s response process after a nuclear power plant accident has an important impact on the overall reliability of accident mitigation. The automatic diagnostic function of nuclear power plant state is designed for the advanced digital control system, by monitoring and processing the plant, it provides an initial orientation or reorientation diagnosis for the Emergency Operating Procedures (EOPs) during emergency operating conditions. Therefore, the operator response process in main control room, especially the potential human errors have some new characteristics, when compared with the traditional way. The qualitative assessment of the operator response process forms the basis for the quantification of the associated Human Error Probability (HEP). The purpose of this paper is to study the reliability of the operator actions required to establish simultaneous Hot Leg injection following an Intermediate Break Loss of Coolant Accident (IBLOCA), a typical accident condition of nuclear power plant. The accident sequence and operator’s actions are given, the detail qualitative and quantitative assessment are implemented base on the foundation of SPAR-H method by a constructed fault tree. The result shows that the failure probability of operating from the Auxiliary Control Panel (ACP) is higher than operating from the Plant Computer Information & Control System (PCICS). The main recommendations are providing more training for operation from the ACP following a loss of PCICS, increase descriptive information within the EOPs and the Human Machine Interface (HMI), providing a dedicated plant status display system and then decrease the reliance placed on the knowledge and memory of the operators to understand important information about plant configuration. The reliability assessment helpful to improve the human factor suitability, provide guidance for optimize the operator’s response process and effectively improve the reliability of engineering design under an IBLOCA accident scenario. Keywords: Accident scenario · Operator Response Process · Reliability analysis · Human factor

1 Introduction The response process of the operator after the Nuclear Power Plant (NPP) accident is an important part to mitigate the accident and limit the consequences of the accident [1]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 599–609, 2021. https://doi.org/10.1007/978-981-16-3456-7_58

600

Z.-H. Xu et al.

Therefore, the reliability of the operator’s response process after a nuclear power plant accident has an important impact on the overall reliability of accident mitigation. The purpose of this paper is to study the reliability of the operator actions required to establish Hot Leg injection following under an Intermediate Break Loss of Coolant Accident (IBLOCA). This paper is divided into four parts. The first part introduces IBLOCA accident and accident sequence, and identifies the important human actions involved. The second part gives the qualitative analysis of the reliability of the operator in the response process of the accident. The third part gives the quantitative analysis results. The final part summarizes and discusses the analysis results of this assessment.

2 Analysis of IBLOCA Accident Scenario An IB LOCA is defined by a break size that the Safety Injection System (SIS) cannot achieve successful Residual Heat Removal mode which is required to obtain the safe state criteria. Therefore, in certain IBLOCA a scenario achieving the long-term safe state requires the operator to switch the LHSI pumps to simultaneous, a typical accident condition of nuclear power plant. An IBLOCA occurs in the Reactor Coolant System (RCS) pipework or pipework of connected systems before the second isolation valves resulting in a decrease in RCS pressure and in the RCS water inventory. If unmitigated the core could become uncovered and fuel damage could occur. For IBLOCA accident, the operator response process is most complicated when the nuclear power plant is in operating state with full power. At the nuclear power plant full power state, an intermediate break occurs, then medium pressure rapid cooldown (MCD) succeeds, medium pressure safety injection (MHSI) start-up succeeds, the medium pressure accumulator’s injection succeeds and low pressure safety injection (LHSI) cold leg start-up succeeds. It is necessary to start up LHSI injection with hot leg manually (Fig. 1). The controlled state is achieved when: • SIS and Atmospheric Steam Dump System (ASDS) are removing RCS heat; and • Core sub-criticality is ensured; and • RCS inventory stabilised by SIS. The key event sequence can be drive from the above description, the key operator action success only in the following preceding events: a) b) c) d) e)

Medium pressure rapid cooldown. Medium pressure safety injection. Medium pressure accumulator injection. Low pressure safety injection. Simultaneous hot leg and cold leg injection.

Study for Reliability Analysis of Operator Response Process

601

Fig. 1. The general flow diagram of IBLOCA

3 Overview of Operator Response Process 3.1 Required Operator Actions The key operator action to initiate simultaneous injection to the Hot Leg is specified in the Emergency Operating Procedure (EOP) of NPP for restoring primary loop inventory. The requirement for the operator to enter the EOP for restoring primary loop inventory is indicated by the presence of the permissive signal (P signal). The permissive signal is actuated when the conditions are all met. Therefore, the operator will not be directed to enter the EOP for restoring primary loop inventory that containing instructions to establish simultaneous hot leg injection after the IBLOCA occurs. Based on the above event scenario description, the following auxiliary operator actions are also required to achieve the safe state following an IBLOCA: • MCD manually: The RCS is cooldown by steam generators in medium pressure via the secondary side using ASDS. • Stop MHSI: The MHSI pumps are manually stopped when the core outlet temperature is reduced to the threshold and the hot leg saturation margin and hot leg water level are sufficiently high. • Isolate medium pressure accumulators: Manual isolation when RCS pressure is below the defined threshold. • Establish hot leg injection: For the SIS is unable to achieve residual heat removal mode in this scenarios to establish long term heat removal mode, then the operator must establish simultaneous LHSI injection to the hot and cold legs. 3.2 Overview of Operator Response Process in Main Control Room (MCR) The automatic diagnostic function of NPP state is designed for the advanced digital control system, which is installed on the Plant Computer Information & Control System

602

Z.-H. Xu et al.

(PCICS). By monitoring and processing the plant, it provides an initial orientation or reorientation diagnosis for the EOPs during emergency operating conditions. The initial annunciation of the automatic diagnostic function of NPP state, which occurs almost immediately following the IBLOCA, directs the operator to implement the EOP for cold shutdown with safety injection (SI) signal. The operator will be implementing the EOP until re-directed to another EOP by the re-annunciation of the Automatic diagnostic function of nuclear power plant system, when the automatic diagnostic function of NPP state re-annunciates. The main control room contains PCICS and Auxiliary Control Panel (ACP), ACP is a backup of PCICS, if there has a PCICS failure, and the operator can transfer to the ACP to continue the control and monitoring required by the accident procedure (Fig. 2).

IB LOCA

And a revealed PCICS fault

Transfer to ACP

SI

Cold Shutdown with SI

Initial Orientation

Cold Shutdown with SI

P Signal

Restore Water Inventory

Restore Water Inventory

Success: Simultaneous Hot and Cold leg Injection

Fig. 2. Overview of operator response process in MCR

4 Analysis of Potential Errors in Operator Response Process Task Analysis is used to conduct a qualitative assessment of the operator actions required in response to an IBLOCA and to determine the key task steps and relevant PSFs. A Task Analysis was completed of the required operator response to an IBLOCA scenario using the two main operating systems within the MCR; the PCICS and the ACP. The qualitative assessment forms the basis for the quantification of the associated HEPs [2].

Study for Reliability Analysis of Operator Response Process

603

4.1 Task Analysis The task analysis provides a graphical illustration of the individual task steps that constitute the required operator response and the relationships between the individual task steps. The task analysis is based on a generic structure containing three high level tasks; detect, diagnose and implement (Fig. 3). 0 Establish simultaneous Hot Leg and Cold Leg injection within P signal.

1

2

3

Detect the onset of fault Conditions

Determine the required operator response

Implement the required operator response

1.1

1.2

2.1

2.2

2.3

Detect IBLOCA

Detect I&C Failure

Identify fault symptoms

Select procedure

Confirm procedure

2.3.1 Agree procedure to be Implemented

Fig. 3. Task analysis of operator response process

4.2 Potential Error Identification Potential errors are safety significant if their consequence is a failure to achieve the required operator response (simultaneous LHSI to the hot and cold Legs) within the time available. The general error mode of the situational awareness and workload has a high-level nature that the detailed insights into potential error modes that support the development of error mitigation strategies are more difficult to obtain. Therefore, this paper combines the SPAR-H with these general concepts of human performance [3]. 4.2.1 Situational Awareness The factors that influence situational awareness are predominantly a function of the HMI, which is one of the eight PSFs of SPAR-H. Therefore, the consideration of relevant HMI design features (i.e. the provision of appropriate cues, indications and feedback) is used to identify (where practicable from the information currently available) any potential for insufficient and/or ambiguous information to be detrimental to the operator’s ability to maintain an appropriate level of situational awareness [4].

604

Z.-H. Xu et al.

A good level of operator situational awareness is a manifestation of the validity of a number of the fundamental assumptions that are necessary to conduct Human Reliability Assessment (HRA); Fit for duty individuals operating in accordance with well-designed procedures from well-designed HMIs. The key cues and necessary feedback is provided for the operator and the purpose of the monitoring and re-orientation phases of the EOPs is to maintain operator situational awareness by regularly checking the relevant parameters. No reliance is placed on the knowledge and memory of the operators to understand the plant state. 4.2.2 Workload The factors that influence workload are predominately a function of task design. Therefore, the consideration of the task design related PSFs such as stress, time-pressure, unfamiliarity and complexity, is used to identify any potential for a high workload to be detrimental to operator reliability [5]. Manually determining the correct post fault strategy, as is required when operating from the ACP following a loss of the PCICS, increases the workload associated with the required operator response and introduces an additional opportunity for a potential error to occur. 4.2.3 Potential Errors The following safety significant potential errors have been identified for the scenarios that are considered within the scope of this paper: When operating from the PCICS with automatic diagnostic function of nuclear power plant state to get the required post fault strategy: Operator fails to detect the requirement to implement the procedure for restoring water inventory; Operator fails to establish hot leg injection within some minutes after the P signal. When operating from the ACP following failure of the PCICS system (and therefore no automatic diagnostic function of NPP state is available): Operator fails to detect the P signal; Operator fails to determine the requirement to implement the procedure for restoring water inventory; Operator fails to establish hot leg injection within some minutes after the P signal.

5 Human Reliability Assessment The reliability of the required operator actions associated with establishing hot leg injection following an IBLOCA is quantified using the SPAR-H methodology. The time to complete the actions necessary to establish simultaneous hot leg injection following an IBLOCA are considered in the following sub-sections for the two variants that are operate from the PCICS and operating from the ACP. If PCICS failure occurs and is detected by the operators, then operations are conducted from the ACP. However, when operating from the ACP, there is no automatic diagnostic function of NPP state and therefore the operator must manually determine the requirement procedure [6–8].

Study for Reliability Analysis of Operator Response Process

605

5.1 Fault Tree Structure of Operator Response Process The automatic diagnostic function of NPP state automates Step 2 in the task analysis. Therefore, when the automatic diagnostic function of NPP state functions correctly there are no credible potential operator errors associated with determining the required response. If the automatic diagnostic function of NPP state where to fail, then the operator must manually determine the required response which will introduces the potential for error to occur during Step 2. The fault tree structure proposed for use in these scenarios is provided by Figure 4. Note, in this fault tree structure the veracity checks provide a genuine recovery opportunity for all potential failure modes of the automatic diagnostic function of NPP state. This fault tree structure also provides an appropriate model for the scenarios that include a loss of the PCICS. Failure to prevent IBLOCA

Fail In PCICS

Fail In ACP

Fail to Manual diagnosis Fail to determine

fail to recover

Fail to implement

fail to Select

Fail to Manual diagnosis

Fail to AD diagnosis

Fig. 4. Fault tree structure (automatic diagnostic function of NPP State /PCICS failure)

5.2 Recovery Opportunities A MCR crew contains OP1, OP2, Unit Supervisor (US), Shift Supervisor (SS), Safety Engineer (SE), OP1 is responsible for the Nuclear Island and OP2 is responsible for the Conventional Island. In accident conditions, OP1 is responsible for operator of the Nuclear Steam Supply System (NSSS) and engineered safety features, whilst OP2 takes charge of the operating of the steam generator, turbine generator, water supply system and other auxiliary systems. The opportunities for self-recovery of errors by the MCR crew of OP1, OP2 and the US are provided by the monitoring (and, if operating from the ACP, also the reorientation) phase of the EOPs are noted. The SE, who can arrive in the MCR a dozen minutes after the onset of the fault conditions and will be conducting their veracity checks from ACP. The SS fulfills the

606

Z.-H. Xu et al.

SE role until he arrives in the MCR. Therefore, it is reasonable to consider the available recovery opportunity. 5.3 Dependency Analysis No consideration is made on the US recovering errors made by OP1, which is equivalent to modelling complete dependency between these members of the MCR crew. The potential for dependency to affect the reliability that can be considered for the recovery opportunity provided by the SE is assessed, due to their increased level of independence from the other members of the MCR crew. Figure 5 illustrates the logic employed to derive a moderate level of dependency for the recovery opportunity when operating from the PCICS and ACP (scenario 1 and 2).

Crew same or different

Time (close in time or not close in time)

same

Cues (additional or no additional)

Location (same or different)

same

same

not close

different

Dependency

high

moderate

Fig. 5. Recovery opportunity dependency assessment

5.4 Human Error Probability of Operator Response Process According to the qualitative analysis, The PSFs for determining and implement the requirement of procedures for restoring the water inventory from the PCICS and ACP are assessed using the SPAR-H method. Moreover, according to the above analysis, three different sub-scenarios are evaluated in order to make a comparison Scenario 1: Operating from the PCICS with automatic diagnostic function of nuclear power plant state. Scenario 2: Operating from the ACP. Scenario 3: Operating from the PCICS and manually determining the post-fault procedure. The assessment of scenarios 1 and 2 provides a model that can be used to bound the assessment of scenario 3, so the Table 1 below only give the PSFs for Scenario 1 and 2. And for Scenario 1, when the automatic diagnostic function of nuclear power plant state correctly, there is no opportunity for operator error when determining the correct strategy. So just need analysis the PSFs for actions [9]. SPAR-H has two basic HEPs 0.01 for diagnosis and 0.001 for actions. These can be modified using the 8 PSFs given in Table 1. Human error probability P = Pd + Pa ,

Study for Reliability Analysis of Operator Response Process

607

Table 1. PSFs for operator response process PSF for diagnosis (Scenario 2)

Multiplier

PSF for action (Scenario 1 and 2)

Multiplier

Available Time

1

Available Time

1

Stress

2

Stress

2

Complexity

2

Complexity

2

Experience/Training

1

Experience/Training

1

Procedures

0.5

Procedures

0.5

HMI

1

HMI

1

Fitness for Duty

1

Fitness for Duty

1

Work Processes

1

Work Processes

1

where Pd refers to diagnosis error probability and Pa refers to action error probability. Pd and Pa are calculated according to the following equations respectively: Pd = 0.01 ×

8 

PSFi

(1)

i=1

Pa = 0.001 ×

8 

PSFi

(2)

i=1

The HEPs for establishing Hot Leg injection following an IBLOCA during full power state from both the PCICS and the ACP are summarised below, and the recovery of safety engineer also considered [10]. Scenario 1: Operator fails to establish hot leg injection (from the PCICS, with Automatic diagnostic function of nuclear power plant state) Pa = 1.0E-3 × 1 × 2 × 2 × 1 × 0.5 × 1 × 1 × 1 = 2.0E-3

(3)

HEP = 2.0E-03 × 0.15 = 3.0E-4. Scenario 2: Operator fails to establish hot leg injection (from the ACP) Pd = 1.0E-2 × 1 × 2 × 2 × 1 × 0.5 × 1 × 1 × 1 = 2.0E-2

(4)

Pa = 1.0E-3 × 1 × 2 × 2 × 1 × 0.5 × 1 × 1 × 1 = 2.0E-3

(5)

HEP = (2.2E-2 + 2.0E-3) × 0.5 = 1.1E-2. Note that the overall figure for Scenario 2 does not include the contribution from the HEP associated with detecting I&C failure. Scenario 3: Operator fails to establish hot leg injection (from the PCICS, without automatic diagnostic function of NPP state) Pd = 1.0E-2 × 1 × 2 × 2 × 1 × 0.5 × 1 × 1 × 1 = 2.0E-2

(6)

608

Z.-H. Xu et al.

Pa = 1.0E-3 × 1 × 2 × 2 × 1 × 0.5 × 1 × 1 × 1 = 2.0E-3

(7)

HEP = (2.2E-02 + 2E-03) × 0.15 = 3.3E-03.

6 Conclusions Usually, operator is often passively adapted to the characteristics of the design finished product, which is not conducive to the ascension of the reliability of operator. At the same time, it also may cause unnecessary human error. This paper has carried out a qualitative and quantitative human reliability assessment of the operator’s response process after a nuclear power plant IBLOCA accident. For IBLOCA accident, the time window is ample and the accident process is not urgent, however the failure probability of operating from the ACP is higher than operating from the PCICS. This is because detect I&C failure, transfer to the ACP and reorientation in ACP will consume extra time, weakens the available time window. In order to improve the reliability of operator’s response process, the recommendations are as follows: Provide training for operating from the ACP following a loss of PCICS. Increase descriptive information within the EOPs and the HMI, and providing a dedicated plant status display system. Then decrease the reliance placed on the knowledge and memory of the operators to understand important information about plant configuration. This paper is only a rough and conservative assessment and further detailed analysis can help to carry out more accurate evaluation and find more useful recommendations, so as to effectively improve the reliability of engineering design.

References 1. Boring, R., Boring, L., Gertman, D.I.: Atomistic and holistic approaches to human reliability analysis in the US Nuclear Power Industry. Safety Reliab. 25(2), 21–37 (2005) 2. Lee, S.W., Kim, A.R., Ha, J.S., Seong, P.H.: Development of a qualitative evaluation framework for performance shaping factors (PSFs) in advanced MCR HRA. Ann. Nucl. Energy 38, 1751–1759 (2011) 3. Lee, S.J., Kim, J., Jang, S.C.: Human error mode identification for NPP main control room operation using soft controls. J. Nucl. Sci. Technol. 48(20), 902–910 (2011) 4. Taylor, R.M.: Situational awareness rating technique (SART): the development of a tool for aircrew systems design. In: Situational Awareness. Routledge, New York, pp. 111–128 (2017) 5. Moray, N.: Mental Workload: Its Theory and Measurement. Springer Science & Business Media, Boston (2013). https://doi.org/10.1007/978-1-4757-0884-4 6. Jang, I., Kim, A.R., Jung, W., Seong, P.H.: A framework of human reliability analysis method considering soft control in digital main control rooms. In: Proceedings of 16th International Conference on Human Interface and the Management of Information: Information and Knowledge Design and Evaluation, Heraklion, Grete, Greece (2014) 7. Ma, Z., Yoshikawa, H., Nawaz, A., Yang, M.: A human–machine interaction design and evaluation method by combination of scenario simulation and knowledge base. J. Nucl. Sci. Technol. 55(5), 516–529 (2018) 8. Jun, Y., Bowen, Z., Ming, Y.: Bidirectional implementation of Markov/CCMT for dynamic reliability analysis with application to digital I&C systems. Reliab. Eng. Syst. Safety 185, 278–290 (2019)

Study for Reliability Analysis of Operator Response Process

609

9. Gertman, D., Blackman, H., Marble, J., Byers, C., Smith C.: The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883. Idaho National Laboratory. USNRC, Washington D.C. (2004) 10. Jang, I., Jung, W., Seong, P.H.: Human error and the associated recovery probabilities for soft control being used in the advanced MCRs of NPPs. Ann. Nucl. Energy 87(2), 290–298 (2016)

Failure Analysis and Optimization of Turbine Speed-Up Control for Nuclear Power Plant Le-Yuan Bai1,2(B) , Xu-Feng Wang1,2 , Heng Li1,2 , and Bin Zeng1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

Shenzhen 518172, Guangdong, China 2 China Nuclear Power Design Company LTD. (Shenzhen), Shenzhen 518172,

Guangdong, China [email protected]

Abstract. Turbine speed-up control is the key part of power unit start-up. In this paper, the sequential control of one-key start of a nuclear power steam turbine is studied. It is found that the false grid-connected signal is one of the potential risk factors that lead to the failure of turbine speed-up control. An optimization scheme of increasing false grid-connected signal detection and automatic locking speed-up is proposed, which improves the reliability and safety of unit speed-up control and provides a reference for subsequent unit one-key start-up design. Keywords: Turbine · Speed-up · Grid connected signal · Fault detect · Optimization

1 Introduction Turbine run-up is an important part in the start-up process of the power unit. The main task is to safely raise the turbine speed to the rated speed and maintain stability, providing basic preconditions for the unit connected to grid. The main control task of turbine run-up is speed-up control. At present, sequential control is widely used to realize the automatic run-up of units. Some units complete the full-automatic control scheme of “one-key start” from cold state to hot state, run-up, grid connection and load [1, 2]. On the one hand, the automation and intelligence level of unit start-up are improved, and the time and labor cost of unit start-up are saved; On the other hand, higher requirements are put forward for unit automation, intelligence and operation management. Once there are design defects or abnormal external conditions in a certain link, it may lead to the failure of unit start-up, even bring risks such as unit out of control and over-speed. In this paper, the run-up sequential control of a nuclear power turbine is studied, aiming at identifying the potential risks that lead to the failure of speed-up control during the run-up process, and proposing optimization measures to improve the safety and reliability of speed-up control in the run-up sequential control.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 610–615, 2021. https://doi.org/10.1007/978-981-16-3456-7_59

Failure Analysis and Optimization of Turbine Speed-Up Control

611

2 Original Scheme A nuclear power turbine adopts sequence control technology for start-up. The startup process is mainly divided into four stages: turning, warming-up, run-up and grid connection [3]. Sequential control is used to control the whole process of steam turbine start-up and speed increase.

Fig. 1. Flow chart of turbine start-up

As shown in Fig. 1, the start-up sequence control is mainly divided into the following eight steps [4–6]: 1) When the start-up sequence control is put into operation, the first step is to confirm the turning speed, and when the turning speed is not satisfied, the operator will manually set it.

612

L.-Y. Bai et al.

2) In the second step, when the warming-up condition is reached, set the warming-up speed and the steam turbine speed is increased to n2. 3) The third step is to manually release run-up and the steam turbine enters the run-up stage. 4) The fourth step is to automatically set the run-up speed, and the steam turbine starts speed-up. 5) The fifth step is to turn off run-up when the steam turbine rushes to close to the rated speed. 6) The sixth step is to check the grid-connected conditions to prepare for grid-connected power generation. 7) The seventh step is to allow the same period, and the steam turbine sends out a allowing signal for the same period. 8) In the eighth step, the generator switch is closed, the steam turbine has initial load, and the grid connection is successful. Under normal circumstances, the steam turbine gradually increases its speed from rotational speed to the rated rotational speed according to a preset sequence, and finally connects to the grid. However, when some conditions fail or trigger by mistake, it may lead to automatic startup failure or runaway. During a run-up, the turbine speed does not stabilize after rising to the rated speed, and continues to rise, resulting in the failure of the run-up. After verification, the closing signal of the generator outlet circuit breaker was triggered by mistake, resulting in false grid-connected signals during the run-up process, which made the speed increase control ineffective and further led to the failure of unit start-up.

3 Failure Analysis The grid-connected signal is triggered by the grid switch closing signal and the generator outlet switch closing signal. Before starting the machine, the power grid switch is closed, and the power grid is inverted to provide temporary power supply for the unit. When the generator outlet circuit breaker is closed, the steam turbine control system receives this signal and judges it according to the rotating speed: when the rotating speed is lower than 95% of the rated rotating speed, the signal is invalid; On the contrary, the signal takes effect and the unit enters the grid-connected mode. When the unit is disconnected from the network, the unit enters the isolated island mode, and the turbo generator provides power for the plant equipment. When the unit is shut down, the generator outlet circuit breaker is disconnected and the unit is in no-load state. Before the grid-connected signal is generated, the speed of the steam turbine is adjusted by the speed controller. As shown in Fig. 2, the rotational speed set value (Nset) and the rotational speed measurement value (Nm) form a rotational speed deviation, which is converted into a power set value by the rotational speed inequality rate (Droop) and enters PI adjustment compared with the actual power (Pm); At the same time, the speed deviation acts on the PI output as feedforward to form the steam demand (SD) for speed control and control the opening of the regulating valve [7, 8]. When false grid-connected signals are generated in the process of run-up, the steam turbine is switched from the speed controller to the load controller for adjustment without

Failure Analysis and Optimization of Turbine Speed-Up Control

613

Fig. 2. Logic of turbine speed control

disturbance. Load control and speed control share a PI regulator. Assuming that the output of the PI controller is Y1 before the false grid-connected signal is generated, the output of the PI controller is Y1 at the moment of switching after the false grid-connected signal is generated. After switching, the load set value Pset and the actual value Pm are both 0, and the contribution of the speed loop is 0 when the primary frequency modulation is not put into operation. Therefore, after the false grid-connected signal is generated, the output of the load controller remains unchanged at Y1, the speed of the steam turbine basically maintains the acceleration before grid-connected, the speed cannot be stabilized at the rated speed, and finally the operator stops manually and fails to rush. According to the above analysis, the normal steam turbine will stay in the gridconnected condition inspection step after the run-up is completed, waiting for gridconnected. False grid-connected signals make the steam turbine directly enter the gridconnected mode after run-up, and the steam turbine enters the load control mode from the speed control mode, thus causing the failure of run-up due to the rapid rise of the speed.

4 Optimization Scheme In order to avoid the risk of turnaround failure caused by false grid-connected signals, it is necessary to optimize the turnaround logic of the steam turbine and increase the corresponding fault signal detection. As shown in Fig. 3, after optimization the blocking function of the rotation speed signal on the grid-connected signal is cancelled. When the rotation speed is lower than 95% of the rated rotation speed, the grid-connected signal still takes effect. At the same time, the grid-connected signal alarm at low speed is added so as to find false grid-connected signals during turning and warming-up. Before optimization, after run-up is manually released in the speed-up phase, the steam turbine will automatically enter the speed-up phase of run-up. False grid-connected signals cannot be recognized in the speed-up phase, which will lead to the failure of runup. After optimization, as shown in Fig. 4, a false grid-connected signal check is added before the speed increase. If the false grid-connected signal exists at this time, the rotation is locked and reversed. Otherwise, run-up is allowed. To sum up, after optimization, an alarm is added in the turning and warming-up stages to realize the detection of the false grid-connected signal, and the locking function of

614

L.-Y. Bai et al.

Fig. 3. Optimization scheme of grid-connected logic

Fig. 4. Optimization scheme of grid-connected check before run-up

false grid-connected signals is realized through automatic logic in the speed-up stage, thus avoiding the over-speed risk caused by false signals to turbine thrust to the greatest extent (Table 1). Table 1. Comparison of fault detection and handling before and after the optimization Stage

Original scheme

Optimization scheme

Turning stage

No measure for false grid-connected signal

Alarm for false grid-connected signal

Warming-up stage

No measure for false grid-connected signal

Alarm for false grid-connected signal

Run-up stage

No measure for false grid-connected signal

Automatic locking speed-up

Failure Analysis and Optimization of Turbine Speed-Up Control

615

5 Conclusions One-key start-up is the basic trend of nuclear power unit control, but at the same time it puts forward higher requirements for unit automation and intelligent control, especially greater challenges to the safe operation of nuclear power units. In this paper, the one-key start-up sequence control of a nuclear power unit is analyzed and studied, and the false grid-connected signal is identified as one of the potential factors that lead to the failure of run-up. The fault detection method and the scheme of automatic blocking run-up in the speed-up control are proposed, which improve the safety of the automatic operation of the unit and provide a reference for the subsequent one-key start-up design of the unit.

References 1. Zeng, B., Zhan, X.L., Zhang, C.: Analysis and research on the standardized design of turbine control system in nuclear power plant. Process Automat. Instrument. 36(11), 36–40 (2015) 2. Chao-Jun, T., Yang, P.: Analysis on key technologies of 1000 MW steam turbine starting with one key. China Sci. Technol. Rev. 46, 6–7 (2014) 3. Hai-Yue, H., Yang, Y., Zhao-Yuan, S.: Thermal stress control strategy for startup procedure of CPR1000 nuclear turbines. Power Equip. 28(2), 90–93 (2014) 4. Ai-Min, Q., Yun, Z.: Control strategy and actualization of 660 MW SIEMENS turbine overall self-startup. Hebei Electr. Power 25(6), 36–39 (2006) 5. Li, X.: Analysis of self-start control step sequence of Siemens T3000 steam turbine unit. Plant Mainten. Eng. 431(17), 79–81 (2018) 6. Yun, C.: Talking about the self-triggered program of Siemens steam turbine. Sci-Tech Inform. Develop. Econ. 6, 205–207 (2008) 7. Lyu, A.G., Chen, W.H., Huang, W.J.: Implementation study on frequency modulation in nuclear power plant. Power Syst. Automat. 38(5), 86–88 (2016) 8. Guang, Y.: Comparison analysis of two speed control schemes for a nuclear power turbine. Electr. Eng. 16, 105–108 (2018)

Research on Application of Humidity Instrument in Nuclear Power Plant Ventilation System Lu Liu(B) , Heng Li, Zhi-Yin Liu, and Zhou Xiao State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen, China [email protected]

Abstract. Humidity regulation and control of ventilation system in nuclear power plant plays an increasingly important role in the third generation nuclear power plant. Humidity meter is an important equipment to realize this function. In this paper, the measuring principle of humidity instrument and the application requirements of the third generation nuclear power humidity instrument are compared and analyzed in detail. Combined with the application of humidity instruments in nuclear power plants, two kinds of humidity instruments, capacitive and optical fiber, are proposed to meet the application requirements of the third generation of nuclear power plants. Keywords: Nuclear power plant · Ventilation system · Humidity measurement · Humidity meter

1 Introduction The ventilation system of nuclear power plant undertakes the functions of air supply and exhaust, temperature and humidity regulation of all plant buildings. With the development and requirements of the third generation nuclear power technology, the role of ventilation system in nuclear power plant is becoming more and more significant. Humidity regulation is an important part of ventilation system. The accuracy of humidity meter measurement directly affects the function of humidity regulation. In the third generation nuclear power plant, higher requirements are put forward for humidity control in the main control room and instrument control electronic equipment room, and related humidity instruments also need safety level instruments. The humidity instruments used in the previous CPR nuclear power project have been unable to meet the application requirements of the third generation nuclear power plant. It is necessary to carry out the research of humidity instrument and develop the high performance safety level humidity instrument which meets the requirements of the third generation nuclear power application.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 616–622, 2021. https://doi.org/10.1007/978-981-16-3456-7_60

Research on Application of Humidity Instrument

617

2 Analysis of Humidity Measurement Scheme Humidity, the amount of water vapor in the air, is used to indicate the degree of dryness and wetness of the air. There are three kinds of expression methods: absolute humidity, relative humidity and dew point [1]. In industry, ventilation systems usually measure relative humidity [4]. 2.1 Common Methods of Humidity Measurement According to GB/T 11605-2005 humidity measurement method, the commonly used humidity measurement methods include stretching method, wet bulb method, condensation dew point method, chloride dew point method, resistance capacitance method, electrolysis method and weight method [3]. Capacitance method and resistance capacitance method are widely used in industry. 2.2 A New Optical Fiber Humidity Measurement Method In recent years, with the development of technology, optical fiber humidity sensor has gradually appeared. It has the advantages of high sensitivity, fast response speed, small size, light weight and strong anti-interference ability. Compared with the traditional electronic hygrometer, optical fiber humidity sensor has great advantages [5]. High Sensitivity, High Detection Limit. The optical fiber humidity sensor can measure humidity accurately to 2 to 3 decimal places. The general electronic hygrometer can only measure humidity to one decimal place [6]. Fast Response. When the humidity quickly reaches a certain stable value, the general electronic hygrometer needs a response time of several seconds to tens of seconds to display the current humidity accurately. The optical fiber humidity sensor can measure the current humidity in less than one second [7]. Small Size, Light Weight. Compared with the traditional chip electronic hygrometer, the volume and mass of optical fiber humidity sensor are much smaller. It can measure some precise structure environment. It has strong ability to resist environmental disturbance. The optical fiber humidity sensor can still work normally in the environment of electromagnetic interference, high temperature and rapid change of humidity [8]. After years of research, various types of fiber optic humidity sensors have emerged. At present, the common sensors can be roughly divided into optical fiber transmission type, optical fiber sensor type and fiber grating type [2].

3 Application Requirements of Humidity Instrument in Ventilation System of Nuclear Power Plant In the CPR project, the ventilation system is relatively simple. The opening of fresh air valve and the operation of electric heater are mainly controlled by humidity monitoring,

618

L. Liu et al.

so as to control the humidity of downstream air supply. It is only used for humidity control in some local areas, which is a non safety level function. In the third generation nuclear power technology, there are two main ways for humidity instruments to participate in the humidity control and regulation of ventilation system. It is mainly used to ensure the temperature and humidity of the main control room area and the important electrical I & C equipment area of the safety building, and its functions are safety level functions. By measuring the temperature and humidity in the ventilation duct, the corresponding enthalpy is calculated. The operation mode of the ventilation system is determined by comparing the enthalpy values in the supply, return and exhaust ducts. So as to adjust the opening of fresh air valve, return air valve and exhaust valve, and simultaneously adjust the electric heater and cold water valve to ensure that the air supply temperature and humidity are within a certain range. Humidity measuring instruments and humidifiers are installed in important electronic equipment rooms. Adjust the humidifier according to the measured value of humidity meter to ensure that the room humidity is within the required range. In the third generation nuclear power technology, humidity instruments participate in the realization of safety level functions, so there are higher requirements for humidity instruments themselves. The instrument needs to meet K3 identification, and the instrument also needs to meet certain radiation resistance requirements according to the different instrument layout areas. At the same time, higher requirements are put forward for the EMC characteristics of the instrument, which should meet at least 14 tests in IEC61000 standard test. At present, there are embedded software in humidity measuring instruments. As a safety level instrument, its software needs independent V & V verification. See Table 1 for the comparison of requirements for humidity instruments under different nuclear power technology routes. Table 1. Comparison of requirements for humidity instruments under different nuclear power technology routes Technology Safety Equipment route classification qualification

Seismic Radiation EMC requirements resistance requirements

Software V &V verification

CPR nuclear power project

Non safety class

No

No

No

IEC61000 No (4 items in total)

Third generation nuclear power project

safety class

K3 Yes identification (RCC-E standard)

Yes

IEC61000 Yes (14 items in total)

Research on Application of Humidity Instrument

619

4 Application Analysis of Humidity Instrument in Ventilation System of Nuclear Power Plant At present, the humidity instruments used in nuclear power plants are mainly capacitive humidity measuring instruments or resistance capacitance humidity measuring instruments. The main manufacturers are E+E of Germany, Rotronic of Switzerland, Michell of England. At present, there is a certain gap between the performance of domestic humidity measuring instrument and foreign instrument, and it is not used in nuclear power plant. The main performance parameters of humidity instruments used in nuclear power plants are shown in Table 2 and Fig. 1. Table 2. Performance parameters of humidity instruments used in nuclear power plants Measuring range

0–100% RH

Accuracy

±2.3% RH (−15 °C–40 °C)

Response time

System network (SNET) - > NI/ CI server - > Monitoring network (MNET) - > calculation server. (Fig. 2 shows the path)

MCR OWP

TSC COWP

RSS COWP MNET

History Server A

Maintenance and commissioning Stations NI Server A GW-L1b

GW-L1a

NI Server B

GW-L2

History Server B

Calculation Server A

Calculation Server B CI Server A

Back-up Server

Gate Way

Level 3

CI Server B

SNET

GW-L1c

Safety System Bus

DTC

FCS Cabinet

FCS Cabinet

FCS Cabinet

CI Controller

CI Controller

I/O Module

I/O Module

Communication Station

Communication Station

TCS (TG DCS)

Other I&C

FCS Cabinet

NI Controller

NI Controller

I/O Module

I/O Module

Communication Station

Dedicated System

Fig. 2. Generation Path of PCICS Life Monitoring Signal for GW-L1b (F-SC3)

The life monitoring signals of GW-L1b (F-SC1), GW-L2 (F-SC3), GW-L2 (F-SC1), NI/CI Server transfer all first to calculation server through their paths in the PCICS structure.

Research and Application of Life Monitoring Scheme

653

− Transmission Path of PCICS Life Monitoring Signal: Calculation Server - > MNET - > NI/CI Server - > SNET - > Field Control Station - > DTC - > auxiliary control mean. The DTC system realizes monitoring of PCICS system life status. If the PCICS system fails, the DTC cabinet lights up the Alarm light on the auxiliary control mean through the Digital Output (DO) output. 4) Optimizing and Innovating In order to effectively meet the requirement, it is necessary to carry out technical research and innovation on PCICS life monitoring scheme. All signals is collected in calculation server to facilitate the management, the signal is transferred to higher safety level device DTC, which treat the signal and is connected to auxiliary control mean.

4 PCICS Life Monitoring Function Analysis After the implementation scheme of above problems in the design of PCICS life monitoring, the detailed PCICS life monitoring function is described as follows: 1) PCICS life monitoring equipment It includes the monitoring of 3 types of faults to determine PCICS failure: Faults detected by self-diagnosis system of equipment; Device failure in data sending (including network failure); Device failure on communication path (including GW). The comprehensive judgment of PCICS life monitoring signal is realized in DTC system. The DTC cabinet adopts safety platform which is a security-level DCS platform developed according to the requirements of related standards [7, 8]. It meets the requirements that PCICS system life status diagnosis should be realized by higher safety class systems. 2) PCICS life monitoring judgment The F-SC3 DCS life monitoring signal outputs four DO signals through four control stations (two in train A and B respectively, installed in NI/CI server). The four DO signals are sent to DTC cabinet for life monitoring. DTC takes the AND logic of two signals in train A and train B respectively, the results of the 2 AND logics are treated by an OR logic. Finally, the result of the OR logic and the F-SC1 DCS life signal are treated with an OR logic to give the final PCICS life monitoring signal sent to auxiliary control mean. In addition, the DO signals sent by two control stations in each train of F-SC3 DCS are monitored for deviation in DTC, and the deviation results are sent to trigger PCICS Instrumentation and Control fault alarm. The PCICS failure logic is shown in Fig. 3, the logic is realized by F-SC1 device (DTC).

654

J.-W. Qiao et al.

In addition, the failure signals in F-SC3 parts are treated in calculation servers and field control station to make necessary and sufficient treatment logic.

F-SC3 PCICS failure Train-A Path 1

&

F-SC3 PCICS failure Train-A Path 2

ı1 F-SC3 PCICS failure Train-B Path 1

&

F-SC3 PCICS failure Train-B Path 2

ı1

PCICS failure

GW-L1b (F-SC1) A failure

& GW-L1b (F-SC1) B failure

The logic is realized by F-SC1 (DTC) Hard wire from F-SC3 to F-SC1

Fig. 3. PCICS failure logic

3) PCICS life monitoring notification When the DTC judges that the PCICS is invalid, the alarm light plates (PCICS 0200AA1, PCICS 0200AA2) in auxiliary control panel are lit in order to notify the operator of the judgment result. The conventional alarm is shown in Fig. 4.

Fig. 4. Auxiliary control mean alarm light plates (PCICS 0200AA1, PCICS 0200AA2)

Research and Application of Life Monitoring Scheme

655

5 Experiment of PCICS Minimum Configuration The life monitoring is to judge the availability of PCICS. The PCICS takes sufficient measures to prevent the failure, the fault tolerant design provides the high reliability to the PCICS operation although the PCICS is partially failed [9]. The goal of PCICS minimum configuration is to provide the PCICS minimum condition to perform the specified functions without switching to the auxiliary control mean when the partial components or equipment of the PCICS are failed. The PCICS minimum condition ensures the degradations of PCICS causing to turn over PCICS operation into auxiliary control mean operation. Figure 5 shows one verification flowchart of PCICS minimum configuration.

Fig. 5. Verification flowchart of PCICS minimum configuration

6 Conclusions This paper makes a comprehensive and clear analysis on the design and implementation scheme of PCICS life monitoring in the MCR of NPP. The life monitoring of the PCICS

656

J.-W. Qiao et al.

is used to monitor the availability of the PCICS system through the life signal mechanism by using the system equipment with higher reliability, and to send an alarm to the operator of the main control room. The life monitoring scheme of PCICS system continues to carry out design optimization, relying on the overall structural changes of DCS. This paper has optimized the design of life monitoring scheme, which provides an engineering application demonstration for the advanced MCR design of new generation Project.

References 1. 2. 3. 4. 5. 6. 7. 8. 9.

IAEA: Safety of Nuclear Power Plants Design, SSR-2/1, Revision 1 (2016) HAF102: Chinese Nuclear Safety Regulation, Safety of Nuclear Power Plants Design (2016) IEC 61227: Nuclear Power Plant-Control Rooms-Operator Controls (2008) HAF.J0055: Engineering Principles for Control Room Design of Nuclear Power Plant (1995) NB/T 20059: The Operator Controls in Control Rooms of Nuclear Power Plant (2012) IEC 60964: Nuclear Power Plants-Control Rooms-Design (2018) IEC60780: Nuclear Power Plant-Electrical equipment of the safety system-Qualification (2000) IEC60880: Software for Computers Important to Safety for Nuclear Power Plants (2001) IEC 61513: Nuclear Power Plants-Instrumentation and Control Systems Important to SafetyGeneral Requirement for Systems (2011)

Application Research on Intelligent Fault-Diagnosis of Nuclear Power Plant Equipment Based on Support Vector Machine Kai Gu1(B) , Zhi-Hong Lv1 , Jian-Quan Xu2 , Zhang-yu1 , and Hua-Qing Peng1 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China

Nuclear Power Engineering Company Ltd., Shen Zhen 518172, China [email protected] 2 Equipments Maintenance Department, Yang Jiang Nuclear Power Plant, Yang Jiang, China

Abstract. Large rotating machinery is very extensive and important equipment in nuclear power plant. It is necessary to carry out on-line vibration monitoring and effective fault diagnosis, which are also the basic application characteristics of intelligent nuclear power plant system. Support vector machine (SVM) can be applied to the fault diagnosis of large rotating machinery in nuclear power plant because it can achieve better classification effect with less training samples and no prior knowledge of fault classification. Therefore, firstly, an online vibration monitoring system for large rotating machinery in nuclear power plant is constructed to extract fault features. Then, according to the simulation data of vibration testbed and the fault data of actual equipment operation, SVM algorithm is used to simulate. By comparing with the actual fault, the diagnosis result is better, which verifies the effectiveness of the method, and is intelligent for the software platform of vibration monitoring device Diagnostic function development provides support. Keywords: Vibration monitoring · Nuclear power plant · Support vector machine · Intelligent fault diagnosis

1 Introduction The essence of fault diagnosis is a pattern recognition problem. The problems of judging whether the standby operation state is normal or abnormal, and determining the fault form and the specific location of the fault can be attributed to the problem of pattern recognition, which is simply a classification problem [1]. At present, one of the difficulties in the realization of intelligent fault diagnosis of nuclear power plant equipment is the lack of typical fault data sample data, the other is the problem of fault feature knowledge discovery, which restrict the application of intelligent fault diagnosis in nuclear power plant. Some commonly used intelligent diagnosis methods, such as fuzzy diagnosis, expert system and artificial neural network, need a large number of fault data samples or prior knowledge, and it is difficult to guarantee the generalization performance of the methods when the training samples are limited. Support vector machine (SVM) can © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 657–664, 2021. https://doi.org/10.1007/978-981-16-3456-7_65

658

K. Gu et al.

achieve ideal classification results in the case of few training samples, so it is a promising method for intelligent equipment fault diagnosis [2].

2 Multi Class Classification Algorithm Based on 2-support Vector Machine At present, the multiclass classification algorithms of support vector machine (SVM) can be roughly divided into two types: firstly, based on the theory of the two types of support vector machines, the objective function is improved directly, the multi value classification model is reconstructed, and the k-class support vector machine is established. By optimizing the new objective function, the multiclass classification can be realized at one time. The objective function of this algorithm is complex, the number of variables is large, and the training speed and classification accuracy are not high. Multiclass classification is realized by combining a series of two class support vector machines, which are mostly used in fault diagnosis. This algorithm can be divided into the following branch algorithms: 2.1 One Against One Classification In all k-class training samples, a SVM classifier is constructed between all two kinds of samples, so that a total of K (k − 1) / 2 two class classifiers can be constructed. When a new sample is classified, each classifier classifies its category and adds one vote to the corresponding category. The category with the most votes is the category to which the new sample belongs. Its disadvantage is that the number of training samples increases with the number of classes K, and the generalization error is unbounded. If a single classifier is not standardized, the whole k-class classifier will tend to over learn. 2.2 One Against All Classification For the k-class problem, a total of K two-class SVM classifiers are constructed. The isvm classifier uses the training samples in class I as a large class and all the other samples as another large class. In the classification, the new samples are classified into the one with the largest output. The disadvantages are that the number of training samples is large, the training is difficult, and the generalization error is unbounded [2]. 2.3 Linear Binary Tree Classifications The k − 1 class of K class is regarded as a large class, and the remaining class is regarded as another large class. A two class SVM classifier is established for classification. Then in the k − 1 class, take (k − 1) − 1 class as a large class, and regard the remaining class as another large class, and establish another two class classifier for classification. And so on until the last two classes, as shown in the following figure. For k-class problems, a total of k − 1 SVM classifiers need to be constructed. This algorithm has fewer classifiers and fewer samples for repeated training, so the speed of training and classification can be improved [3] (Fig. 1).

Application Research on Intelligent Fault-Diagnosis

659

Fig. 1. Binary tree classification algorithm

In the test, the samples are input into the first classifier first. If the output is class 1, the sample class is determined as the fault category corresponding to classifier 1, and the test is finished. If not, the next classifier is used until the test sample belongs to the category. Compared with the one-to-one and one to many methods, this serial structure greatly reduces the number of repeated calculation of training samples, and eliminates the inseparable regions existing in one-to-one and one to many methods, and improves the efficiency of classification training. 2.4 Selection of Kernel Functions The commonly used kernel functions include linear kernel function, Gaussian radial basis function, polynomial kernel function and exponential radial kernel function [4]. (1) The kernel function in polynomial  the q corresponding SVM is a q-order  form, polynomial classifier K(x, xi ) = xT xi + 1 . (2) The kernel function in the form of radial basis function, the corresponding SVM is  2 i . a radial basis function classifier K(x, xi ) = exp − x−x σ2 (3) S kernel function, Then SVM realizes a two-layer perceptron neural network, only here, not only the weight of the network, but also the number of hidden layer nodes of the network is automatically determined by the algorithm [5] K(x, xi ) = tanh(v(xT xi ) + c).

3 SVM Classification Training and Application For the vibration fault of large-scale rotating machinery in nuclear power plant, the typical failure modes are unbalance, misalignment, rub impact, bearing pedestal looseness and rotor bending. With the application of intelligent diagnosis function, the platform can automatically realize the fault mode diagnosis output through modeling and classification training.

660

K. Gu et al.

3.1 Vibration Test Device and Fault Feature Extraction The data used are from ZT-3 rotor vibration simulation test-bed, which can effectively reproduce a variety of vibration phenomena produced by large-scale rotating machinery. By changing the rotor speed, shafting stiffness, mass imbalance, friction or impact conditions of bearings and the type of coupling, the running state of rotating equipment is simulated. The experimental platform is driven by DC shunt motor. The motor shaft directly drives the rotor through the coupling. The rated current of the motor is 2a and the maximum output power is 250 W. By adjusting the output voltage manually, the steeples speed regulation of the motor in the range of 0–10000 RPM can be realized, and the speed up can reach 800 RPM/min. The vibration measuring device used in the experiment is rvm1000 vibration monitoring system based on embedded application, which is self-developed by national heavy industry laboratory. The collector integrates signal conditioning and data acquisition, and is equipped with wireless signal transmission. The monitoring software realizes time and frequency domain analysis and application (Fig. 2).

Fig. 2. Vibration test device

Five kinds of faults, such as original unbalance, misalignment, rub impact, bearing pedestal looseness and rotor bending, are simulated in turn on the test-bed. The spectrum data of the five faults are calculated in the following eight frequency bands (0.01–0.39) F1, (0.4–0.49) F1, 0.5f1, (0.5–0.99) F1, F1, 2F1, 3f1, >3f1 (F1 is power frequency) [6], and the sum of the amplitudes of each spectrum segment is calculated and normalized The ratio of and is used as the characteristic parameter in frequency domain (Fig. 3). 3.2 Characteristic Value of Ascending and Descending Speed Trend When the vibration fault occurs, the fault itself has its own occurrence and development process. Most of the conventional diagnosis methods only use the characteristics of the fault time; however, the approach of different vibration fault characteristics of the unit

Application Research on Intelligent Fault-Diagnosis

Unbalanced spectrum map

Misalignment spectrum map

661

Dynamic and static rub impact

Bearing looseness spectrum

Fig. 3. Spectrum of several typical fault

will lead to misjudgment [7]. On the other hand, there are considerable differences in the development process of different faults over time. For example, when the dynamic and static rub impact of the unit, the local temperature of the rotor will rise and bend, which will change the original rotor mass imbalance, resulting in vibration amplitude and 1-fold frequency phase fluctuation; the generation of steam induced vibration is often due to the change of unit load or thermal parameters, which leads to the rotor shaft being affected Under the action of tangential force, the instability will occur gradually, which will be reflected in the time-varying trend of the axis orbit. Practice has proved that the time trend information of characteristic quantity plays an important role in fault diagnosis. When the vibration fault occurs, the fault itself has its own occurrence and development process. Most of the conventional diagnosis methods only use the characteristics of the fault time; however, the approach of different vibration fault characteristics of the unit will lead to misjudgment. On the other hand, there are considerable differences in the development process of different faults over time. For example, when the dynamic and static rub impact of the unit, the local temperature of the rotor will rise and bend, which will change the original rotor mass imbalance, resulting in vibration amplitude and 1-fold frequency phase fluctuation; the generation of steam induced vibration is often due to the change of unit load or thermal parameters, which leads to the rotor shaft

662

K. Gu et al.

being affected Under the action of tangential force, the instability will occur gradually, which will be reflected in the time-varying trend of the axis orbit. Practice has proved that the time trend information of characteristic quantity plays an important role in fault diagnosis (Tables 1 and 2). Table 1. Characteristic vector of acceleration process Fault samples

Change or not

Increase with speed

Decrease with speed

Sudden rise

sudden drop

Mass unbalance

0

1

0

0

0

Misalignment

1

1

1

1

1

Rubbing

1

1

0

1

1

Looseness

1

0

1

0

0

Shaft Bow

1

0

0

1

1

Table 2. Characteristic vector of deceleration process Fault samples

Change or not

Increase with speed

Decrease with speed

Sudden rise

sudden drop

Mass unbalance

0

0

1

0

0

Misalignment

1

0

1

0

0

Rubbing

1

0

1

1

1

Looseness

1

0

1

0

0

Shaft bow

1

0

0

1

1

3.3 Fault Sample Data Collection The 18 dimensional symptom feature vector is constructed by combining the frequency domain feature with the ascending and descending speed trend feature. The original unbalance, misalignment, rub impact, bearing pedestal looseness and rotor bending five kinds of faults, 20 samples are taken from each fault, and 100 sample data are obtained from the test bench, of which 10 of each kind of fault constitute the training samples, and the other 10 are the test samples. Through the model training results, 10 groups of test sample data are tested, and the classification test results are obtained. 3.4 Fault Classification Test Based on SVM Firstly, the samples are numbered, and the original unbalance, misalignment, rub impact, bearing pedestal looseness and rotor bending are numbered 1–5 in sequence. Proceed as follows.

Application Research on Intelligent Fault-Diagnosis

663

Step 1: using the linear binary tree classification structure, establish four support vector machine second class classifiers. SVM1_ 2345, SVM2_ 345, SVM3_ 45, SVM4_ 5, respectively represents two types of classifiers, i.e. class 1 and 2345, class 2 and 345, class 3 and 45, and class 4 and 5.

Step 2: the radial basis function is selected from the kernel functions of the four classifiers, K(x, xi ) = exp{−γ x − xi  2 }, and define γ = 0.5. Step 3: Input the learning samples into each class II classifier according to the topological structure shown in the above figure for sample learning, and then classify the test samples. The classification results are shown in Table 3. Table 3. The result of classification using one-against-all. Fault samples

Mass unbalance

Misalignment

Rubbing

Looseness

Shaft bow

Mass unbalance

7

1

0

2

0

Misalignment

0

8

2

0

0

Rubbing

1

1

7

1

0

Looseness

1

0

1

8

0

Shaft bow

0

1

0

0

9

70

80

70

80

90

Recognition rate %

3.5 Test and Results Through fault simulation, sample collection and feature extraction, fault samples for learning and testing are obtained. Based on the two class classification model, the application model of one to many classification algorithm is constructed. According to the training of sample data, five kinds of faults can be distinguished. At the same time, it shows that the number of SVM samples is small, but the fault recognition rate is high; at the same time, it can be misclassified according to the expectation The number of samples is used to reduce the value range of kernel function γ [8].

664

K. Gu et al.

4 Conclusion According to the vibration signal of the acquisition equipment, the spectrum is drawn, and the fault signal is analyzed from the frequency domain. After verification, SVM can classify the normal signal and fault signal successfully, and there are few wrong samples. Therefore, the application of support vector machine in intelligent fault diagnosis of nuclear power equipment has strong significance, and can be further developed and applied in the diagnosis software package.

References 1. Nello, C., John, S.T.: An Introduction to Support Vector Machines and Other Kernel—Based Learning Methods. Cambridge University Press, Cambridge (2000) 2. Vojislav, K.: Learning and Soft Computing-Support Vector Machines, Neural Networks and Fuzzy Logic Models. The MIT Press, Cambridge (2001) 3. Han, T., Jiang, D., Zhao, Q., et al.: Comparison of random forest, artificial neural networks and support vector machine for intelligent diagnosis of rotatingmachiery. Trans. Inst. Meas. Contr. 40(8), 2681–2693 (2018) 4. Hu, Q., He, Z., Zhang, Z., Zi, Y.: Fault diagnosis of rotating machinery based on improved wavelet package transform and SVMs ensemble. Mech. Syst. Signal Process. 21(2), 688–705 (2007) 5. Zheng, J., Pan, H., Cheng, J.: Rolling bearing fault detection and diagnosis based on composite multistate fuzzy entropy and ensemble support vector machines. Mech. Syst. Signal Process. 85, 746–759 (2017) 6. Sun, H.C., Huang, Y.C.: Support vector machine for vibration fault classification of steam turbine-generator sets. Procedia Eng. 24, 38–42 (2011) 7. Li, Y., Xu, M., Wei, Y., Huang, W.: A new rolling bearing fault diagnosis method based on multiscale permutation entropy and improved support vector machine based binary tree. Measurement 77, 80–94 (2016) 8. Ahmed, H., Nandi, A.K.: Condition Monitoring with Vibration Signals, vol. 276, pp. 16–22. Brunel University London, UK (2020)

Safety and Reliability Analysis Based on the FMECA of the Fire Protection System of NPPs Xu-Tao Bai(B) , Dan-Dan Sun, Hua-Song Fang, and Xiao-Chen Zhang Suzhou Nuclear Power Research Institute, Suzhou 215004, Jiangsu Province, China [email protected]

Abstract. This paper analyzes the main failure modes of fire protection system in nuclear power plant, and uses the FMECA (failure mode effect and criticality analysis) method to finds out its key sensitive equipment. Combined with the working principle and operation environment of fire protection equipment, it analyzes the failure modes of key equipment in depth, and proposes the targeted operation and maintenance optimization strategy, so as to reduce the failure probability of fire protection system equipment and improve the safety and reliability of fire protection system in nuclear power plant. Keywords: Nuclear power plant · Fire protection system · Failure analysis · Safety and reliability

1 Introduction During the normal operation of nuclear power plant, the principle of defense in depth is strictly implemented to ensure nuclear safety through the multiple safeguards and multi-level protection. However, once a fire or explosion caused by open flames, these defense barriers will be destroyed, resulting in the release of radioactive materials to the external environment, causing serious damage to the environment and the public. According to the statistical data analysis of nuclear power plant accidents, the frequency of fire accidents is much higher than that of nuclear accidents. When a fire occurs, the fire protection system can timely monitor the fire location, send out alarm signals, link fire-fighting equipment, isolate the fire, put out the fire, and ensure that the nuclear safety related systems and equipment play a direct protection role, and ensure the integrity and availability of their functions. The fire protection system of nuclear power plant plays a direct role in the protection of nuclear safety related equipment, and the reliability of fire protection system will directly affect the safety of nuclear power plant. Therefore, we must attach great importance to the safety and reliability of the fire protection system of nuclear power plant. In this paper, combined with the working principle and operating environment of the fire protection system equipment, FMECA method is used to analyze the failure modes of key equipment in depth, and targeted operation and maintenance optimization strategy is proposed, which can improve the safety and reliability of the fire protection system equipment in nuclear power plant [1]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 665–673, 2021. https://doi.org/10.1007/978-981-16-3456-7_66

666

X.-T. Bai et al.

2 Brief Introduction of Fire Protection System in NPPs The fire protection system of nuclear power plant is composed of fire detection system and fire extinguishing system. The fire detection system is used to realize the early detection, early warning and alarm of the fire through detecting the early characteristics of the flame by the fire detector. The fire extinguishing system performs the response to isolating or extinguishing the fire according to the signal sent by the fire detection system, so as to protect the equipment and facilities. The fire detection system is mainly composed of fire detection host, fire detector, detection circuit and linkage equipment. Fire detection host is the control core of fire detection system. It is mainly used to receive and process various signals from fire detection circuit. The fire detection detector transmits all kinds of signals back to the host through the detection circuit, then the host machine processes the received signals according to a predetermined program, and starts various functions of the fire protection system according to the processing results, such as triggering the acoustic alarm, closing the fan, starting the fire water spray system, etc. The fire extinguishing system is divided into fire water production system, distribution system, and the fire extinguishing system of nuclear island, conventional island and auxiliary plant. It is mainly composed of water storage/liquid storage facilities, fire pump, deluge valve group, flood valve, pressure/liquid level switch, fire pipeline, etc.

3 Operation Status of the Fire Protection System Based on the investigation of the operation status of the fire protection system in several nuclear power plants in China, it is found that there are some prevalent problems in the fire protection system, such as high failure rate, strong recurrence, wide range and great influence. For example: all kinds of detection equipment have false alarm of fire, which once led to the fire-fighting equipment mistakenly spraying the protection equipment; during the linkage test of safety fire-proof areas, the detector refused to alerting, and led to the loss of fire protection function in the area, which may affect the unit operation during the overhaul, and this was recorded as I0 event; during the power operation of unit, the failure of fire-fighting temperature detector in the nuclear island once led to power reduction of unit; the large area flash failure of the equipment in the detection circuit led to the superposition of unavailable fire-fighting areas exceeding the technical specification requirements, and the unit produced unexpected events. Based on the statistics of fire protection system repair orders and the proportion of I0 events of units 1 and 2 in a domestic nuclear power plant from 2016 to 2018 (see Table 1), it is found that the fire protection system failure rate of two units has been at a high level in recent three years, in which the proportion of failures in fire-fighting areas related to nuclear safety accounts for more than 30% of total fire protection system failures. During the power operation of units, the I0 events of fire protection system accounts for more than 15% of the total I0 events of units, which had a great impact on the operation of the unit. The monthly test data of the fire water distribution system of units 8 and 9 of the nuclear power plant in recent 3 years are summarized. The specific data are shown in Table 2.

Safety and Reliability Analysis Based on the FMECA

667

Table 1. Failure status of a nuclear power plant fire protection system Year

Total

In fire-fighting areas

Proportion

2016

621

193

15%

2017

703

244

19%

2018

637

225

16%

Table 2. Satisfaction of monthly test of fire protection water distribution system for recent 3 years Year Dissatisfied Satisfied with reservation Satisfied 2016 2

17

5

2017 1

19

4

2018 2

18

4

It can be found from the data in Table 2 that the satisfaction degree of the successful monthly test of the fire water distribution system is low, the unqualified first test and the repeated test after emergency maintenance occurred every year. Therefore, through the FMECA analysis of the fire protection system, and combining with the field operation situation, targeted measures can be taken to improve the safety and reliability of the fire protection system.

4 FMECA Analysis of Fire Protection System In the process of FMECA analysis of fire protection system, the field data of nuclear power plant and external experience feedback are collected to improve the reliability of fire protection system and reduce the failure rate. Firstly, the analysis object is determined, the system structure of these objects are analyzed, and the system function block diagram is drawn; based on the field data and referring to external general data, the characteristic data is calculated. Secondly, by using the results of FMECA analysis as the basis for the analysis of key sensitive equipment and failure root cause of fire protection system [2], the important sensitive equipment of fire protection system is screened out, and then these sensitive equipment are analyzed in detail. In this paper, all the equipment with functional location code in the fire protection system of a nuclear power plant in China are screened, including 9 subsystems, and the total number of equipment is about 24900. In the process of FMECA analysis, the equipment failure mode division is based on the following premise: (1) In the FMECA table, the different states of the equipment in normal operation are indicated, and the failure modes of the equipment in different states are considered. (2) Failure of large leakage caused by rupture of metal valve shall not be considered.

668

X.-T. Bai et al.

The classification of severity of fire protection system failure mode is shown in Table 3. Table 3. Classification of the severity of fire protection system failure mode Classification Definition of severity I

Nuclear safety related systems (or trains) and fire protection functions in areas affecting unit availability areas are completely lost

II

Nuclear safety related system (or trains), and fire protection redundancy functions affecting unit availability areas are lost, or fire protection functions of non-nuclear safety related system are completely lost

III

Failure results in the reduction of the reliability of fire protection system, but it will not directly lead to the complete loss of fire protection function

IV

Failure will not affect the fire protection function

The classification of failure mode probability of fire protection system is shown in Table 4. Table 4. Classification of failure mode probability of fire protection system Classification Definition A

Happening frequently

B

Happening by chance

C

Happening rarely

The severity and probability of failure modes are weighted respectively, and the equipment is classified by weight according to the severity and probability of failure mode. According to the weighted total amount of severity and probability, after the hazard degree analysis, about 1500 key sensitive equipment were selected out. It mainly includes: fire pump, air compressor, fire detector, fire pipeline, solenoid valve, pressure switch, liquid level switch, fire nozzle, fire alarm host, deluge valve (deluge valve, alarm valve). The key sensitive equipment types of fire protection system are shown in Table 5. Combined with the historical data of fire protection system equipment such as the event sheet, work order, spare parts issue record and preventive maintenance procedure, the failure modes and effects of the key sensitive equipment are analyzed. The results are shown in Table 6.

Safety and Reliability Analysis Based on the FMECA

669

Table 5. Key sensitive equipment types for fire protection system System

Number

Fire detection system

Fire alarm host, fire detector

Fire water production system

Fire pump, pressure switch

Fire water distribution system (NI,CI)

Air compressor, pressure switch, pipeline

Plant fire water distribution system (BOP)

Air compressor, pressure switch, pipeline

Fire protection system of steam turbine building

Solenoid valve, nozzle

Fire protection system of nuclear island

Flood valve, solenoid valve, nozzle

Fire protection system in electrical building

Deluge valve, flood valve

Fire protection system of transformer

Deluge valve, solenoid valve, nozzle

Fire protection system of diesel generator

Deluge valve, solenoid valve, nozzle

Table 6. Failure modes and effects of key sensitive equipment of fire protection system Equipment type Failure mode

Influence

Fire detector

False alarm: cause linkage equipment malfunction, downstream equipment malfunction or mistakenly spray the protected equipment [4]

Contact corrosion, interface looseness, sensor dust accumulation, condensation [3], skin aging, address code drift, board damage

Failure to alarm: the monitoring function is lost and the linkage equipment cannot operate pressure switch Excessive return difference, fixed Sending misoperation signal, and value drift, loose wiring, die box linking alarm equipment or spraying deformation, interface fracture, loose equipment sealing solenoid valve

Jamming, corrosion, terminal aging, actuator wear

Spray function is unavailable

Deluge valve

No action, action lag

Unable to spray or response time too long

spray head

Clogging, corrosion and wrong spray Spray function is unavailable, the direction protection area is wrong

fire pump

Insufficient outlet pressure, no action Spray function is unavailable

Flood valve

Leakage, corrosion and no action

Unable to respond to spray signal in time

670

X.-T. Bai et al.

5 Preventive Maintenance Strategy and Optimization Suggestions At present, the preventive maintenance of the fire protection system in nuclear power plant mainly includes annual visual inspection, regular test and periodic replacement of some detectors in three years. During the test process, failures such as detector rejection, linkage equipment failure to start, temperature or pressure set value drift often occur. At the same time, in the monthly test of hydrogen detector, there are many unnecessary contents such as no visual inspection of the parameters in the register [5]. Based on the analysis of the main failure modes of fire protection system in nuclear power plant and the classification of the key sensitive equipment, according to the factors such as the importance of the equipment, the failure frequency and the influence scope, combined with the historical failure situation, external experience feedback and on-site maintenance measures, the preventive maintenance strategy of the fire protection system of the nuclear power plant is proposed, so as to improve the safety and reliability of fire protection system [6]. The details are shown in Table 7. Table 7. Preventive maintenance strategy for fire protection system equipment Equipment Maintenance project type Fire protection host

Smoke detector

Maintenance Maintenance mode cycle

Check the insulation voltage of 1Y the circuit to the ground and between the lines, the voltage of the fire protection system power supply, whether the wiring terminals are aging, loose and virtual connection, test the power supply time of the standby battery, clean up the dust on the boards and slots

Monitoring/testing/replacement

Replace the backup battery regularly

Direct replacement

3Y

Alarm function test, clean surface 1Y area dust

Testing

Replace detector regularly

3Y

Direct replacement

Wet area: check the contact for corrosion; clean the surface condensation and dust; test the response time

0.5Y

Monitoring/testing/repairing

(continued)

Safety and Reliability Analysis Based on the FMECA

671

Table 7. (continued) Equipment Maintenance project type Linear thermal detector

Maintenance Maintenance mode cycle

Check the power supply voltage 1Y of the controller, the corrosion of the terminal, the sealing and resistance value of the terminal resistance, whether the skin of the temperature sensing cable is cracked; whether the fire alarm temperature of the temperature sensing cable meets the requirements; whether the fire alarm trigger response time meets the requirements

Monitoring/testing/replacement

Replace the outdoor temperature sensing cable regularly

Direct replacement

3C

Infrared flame detector

Whether the orientation is aligned 1Y with the protection equipment, whether there is electrochemical corrosion on the base, whether the chamber is sealed, whether there is water accumulation in the outdoor layout, whether the trigger response time meets the requirements

Monitoring/testing/repairing

Hydrogen detector

Periodic calibration, whether the alarm setting value drifts

Test/calibration

0.5Y

Replace the combustion chamber 3C (including spare parts) regularly

Direct replacement

Pressure switch

Sealing inspection, fixed value 0.5Y verification, return difference test, check whether there is leakage at the interface and sealing parts, whether the frame or die box is deformed

Monitoring/calibration/repairing

Solenoid valve

Whether the action voltage meets 1Y the requirements; whether the actuator is jammed; whether the feedback signal is normal; whether the mechanical part is abnormal wear; whether the wiring terminal is loose; whether the voltage level is matched

Monitoring/testing/repairing

(continued)

672

X.-T. Bai et al. Table 7. (continued)

Equipment Maintenance project type Flood valve

Nozzle

Maintenance Maintenance mode cycle

Check the valve body and 0.5Y interface for corrosion and leakage; check whether the fuse valve starter resistance is normal; check whether the starting voltage meets the requirements

Monitoring/testing/replacement

Replace the electromagnetic starter regularly

Direct replacement

3Y

Whether the installation direction 1Y meets the requirements; whether there is corrosion; whether there is blockage; whether the selected type meets the standard

Monitoring/replacement

In addition to the above preventive maintenance strategy, according to the actual situation of nuclear power plant, the following maintenance optimization suggestions are put forward: (1) Track and monitor the environmental status of high humidity areas, strengthen ventilation and dehumidification in key areas such as comprehensive pipe gallery in spring and summer, and replace the detector every 2 months from May to October [7]. (2) Optimize the trigger mode of the pressure switch triggered by monthly regular test, to prevent the acceleration failure of pressure switch caused by frequent test, which can result in the increase of failure probability. (3) Due to different sunshine and corrosion conditions, adjust the replacement period of outdoor linear temperature detector according to the characteristics of the plant site, to ensure the stable operation of the area linear thermal detector in transformer. (4) In order to prevent entering the island during power operation of unit due to equipment failure, single point equipment in the nuclear island should be replaced 1 C once [8]. Before replacement, the equipment should be operated in the minimum system for more than 720 h to ensure its reliability.

6 Conclusion FMECA is used to analyze the fire protection system of nuclear power plant, and the weak links and key equipment of fire protection system of nuclear power plant are determined. Combined with the actual situation, the failure causes and maintenance strategies of key equipment are studied in depth, and the items to be improved and the optimization contents of relevant equipment maintenance program are proposed. Through practice, the optimization project effectively reduces the failure rate of fire-fighting equipment,

Safety and Reliability Analysis Based on the FMECA

673

reduces unnecessary personnel investment, and ensures the reliable and stable operation of the fire-fighting system of nuclear power plant. This method can also be used for failure analysis and maintenance strategy optimization of other systems.

References 1. Zhou, Z., et al.: fuzzy FMECA method for product reliability analysis. J. Electr. Mach. Control 14(10), 89–93 (2010) 2. Shi, J-y., et al.: Extended FMECA method application research. Measur. Control Technol. 30(5), 110–114 (2011) 3. Xie, Q.-Y., et al.: Study on false alarm of smoke detector caused by humidity. Chin. J. Saf. Sci. 1, 87–90 (2004) 4. Wang, D., et al.: Study on the influence of ambient temperature and horizontal installation position on the response performance of smoke detector. Build. Sci. 25(5), 67–69 (2009) 5. Yu, Z.: Analysis of environmental fire protection characteristics and effective solutions for thermal power plant. Mod. Build. Electr. 2(8), 35–37 (2011) 6. Li, Q., Wang, M.-N., Li, Y.: Structure parameters of entrance section of shaft type emergency exit in railway tunnel. China Railway Sci. 36(5), 36–42 (2015) 7. Fan, W.-C., et al.: Fire Risk Assessment Methodology. Science Press, Beijing (2004) 8. Carvel, R.O., Beard, A.N., Drysdale, D.D.: Variation of heat release rate with forced longitudinal ventilation for vehicle fires in tunnels. Fire Saf. J. 36(6), 569–596 (2001)

Improvement in Test Methods and Structural Design for In-core Coolant Level Detector of HPR1000 Wei-Jie Huang1 , Peng Deng2 , Bao-Cheng Li2 , Zhi-Jun Li2 , and Liang Li1(B) 1 Nuclear and Radiation Safety Center MEE, Beijing 102400, China 2 China Nuclear Control System Engineering Co., Ltd., Beijing 102401, China

Abstract. As an essential class 1E primary instrument of the core cooling monitoring system (CCMS), in-core coolant level detector is used to monitoring the coolant level inside the reactor pressure vessel (RPV). Normally functional test is fundamental means to verify whether the in-core coolant level detector can fulfill its safety function. However, due to the inappropriate testing approaches and the incomplete design, the level tracking curves of the in-core coolant level detector developed for HPR1000 are unsatisfactory during the functional test, which shows a certain degree of deviation from the expected curves and could not track the real coolant level variation in time. After technical analyzing, the root cause of the issue is identified, and the improvement in test methods and the level detector’s structural design is implemented. Then the improved level measuring curves of the in-core coolant level detector are shown to prove the effectiveness of the measures having been taken. Keywords: In-core coolant level detector · HPR1000 · Functional test · Nuclear safety

The core cooling monitoring system (CCMS) is used for on-line monitoring of core outlet temperature, reactor pressure vessel water level and margin of super-cooling degree of coolant in pressure vessel under normal, accident and post-accident conditions [1]. The in-core coolant level detector (hereinafter referred to as level detector) assembly is an essential component of CCMS that is mounted at the inlet and outlet of RPV to reflect the change of core water content [2], which is used to monitor whether the core is exposed or not, and is directly used to determine the post-accident control strategy and operation procedures [3]. Due to the importance of these safety functions, the signal from level detector shall track the variation of coolant level in RPV in time withstanding long-term thermal aging, high temperature, irradiation, earthquake, LOCA and severe accident environment. However during the functional test for level detector of HPR1000, the output can’t quickly respond to the real level variation and shows large fluctuation at the initial phase when the level changes. This paper demonstrates this testing issue, identifies the root cause of the phenomenon, and introduces the improvement in test methods and the level detector’s structural design. Then the level measuring curves of the detector which is implemented with improved measures are shown to prove the effectiveness of the improvement having been taken. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 674–680, 2021. https://doi.org/10.1007/978-981-16-3456-7_67

Improvement in Test Methods and Structural Design

675

1 Introduction of Level Detector The coolant in the reactor pressure vessel can be regarded as two states: liquid water and vapor water [4]. The design concept of level detector is based on the thermal principle that there are significant differences in thermal conductivity between vapor phase and liquid phase [5]. Each detector is composed of four thermocouples and two electric heaters, which are arranged along the axis of the detector assembly and are consisted of two measuring points and two reference points to detect the in-core coolant level. Figure 1 shows the structure of level detector.

Fig. 1. Structure of level detector

Specifically, each level measuring point consists of a level thermocouple with an electric heater, and each reference point has a reference thermocouple mounted lower than the level thermocouple. Figure 2 is the specific structure of the measuring section of the level detector.

Fig. 2. Specific structure of the level measuring section

Since all the components are submerged in coolant in normal operation, the temperature difference between level thermocouple and reference thermocouple is relatively constant. Due to the significantly decreasing of thermal conductivity in vapor phase, when the coolant level drops below the level thermocouple containing the electric heater, the ambient temperature around level thermocouple increases rapidly under the action of the heater. By this means, the measurement of vapor-liquid interface is changed into temperature difference measurement [5]. Once the temperature difference between level thermocouple in vapor environment and reference thermocouple in liquid environment exceeds threshold (>5 °C), it can be determined that the coolant level in RPV is lower than the measuring point, and alarm signal will be sent out.

676

W.-J. Huang et al.

2 Functional Test Issues Performance monitoring test shall be performed to verify that instrumentation channels important to safety in nuclear power plants are operating within the normal specified performance envelope [6], therefore functional test is basic means to check the functional characteristics under normal ambient conditions and in all specified limits of normal operation [7]. In normal functional test process, the level detector should be mounted on a pressure vessel for level function test, then the level in the vessel rises and falls at different temperature points of 50 °C, 100 °C, 150 °C, 200 °C, 250 °C, 280 °C, 300 °C, 320 °C and 340 °C. The expected response of temperature difference for each level measuring point should greater than 5 °C within 30 s at given temperature point. In initial functional test for the newly developed level detector, a sample is tested at the temperature points mentioned above respectively and the testing results are recorded by an oscilloscope. In analysis phase after test, the result shows that the comprehensive technical requirement for response of temperature difference is achieved, however, it is found that the output signal curve of temperature difference is unsatisfactory at relatively high temperature such as 200 °C, 250 °C, 280 °C, 300 °C, 320 °C, 340 °C. Figure 3 is the record of output signal curves of upper level point and lower level point from two independent samples at 200 °C.

Fig. 3. Output curves at 200 °C

It can be seen from the output curves that: (1) The temperature difference amplitude of thermal response of upper level points is smaller than that of lower level points when the upper level points are exposed in vapor environment. (2) The output curve of upper level point of sample 1 fluctuates greatly.

Improvement in Test Methods and Structural Design

677

Although the requirement of 5 °C thermal response within 30 s is achieved, the performance of the detector is still unsatisfactory due to the defect on reflecting the level variation in time. It is difficult to identify whether the issues found in functional test are caused by a design defect and whether it will cause a safety problem. Therefore, it is necessary to analyze the issues for root causes.

3 Root Causes Analysis and Improvement 3.1 Root Causes Analysis For the above unsatisfactory test phenomenon, technical analysis is implemented to figure out the root causes of the defect. The principle of coolant level measuring is based on that the efficiency of thermal conductivity in liquid is higher than that in vapor. Under the operating condition of constant current, the structure and heating state of level measuring component keep constant as well whether in vapor or in liquid. However, if the vapor in the pressure vessel is saturated, condensation water may generate and attach on the outer metal shell of the detector’s area exposed in saturated vapor. When this situation happens at the level measuring point, the following phenomena will occur: (1) The condensation water adheres to the outer stainless steel shell of the detector at the level measuring point and changes the heat transfer medium, so that the temperature difference range of the thermal response is relatively smaller than in vapor. (2) The condensate water flows on the outer stainless steel shell of the detector at the level measuring point, which leads to the obvious fluctuation of the level point temperature due to the varying heat transfer medium. The test pressure vessel is a vertical slender cylinder (about 5.8 m long and 17 cm in diameter), and heating and heat preservation devices are arranged in the middle of the vessel. Under the high temperature condition, there is a certain temperature gradient in the vertical direction of the test pressure vessel. The temperature of the upper part of the vessel is lower than that of the middle part. When the water level rises and falls, the saturated steam and liquid water in the vessel are in the dynamic balance process of mutual conversion. The level detector penetrates into test pressure vessel from the top, and the level measuring point is located on the upper part of the vessel. When the water level inside the test pressure vessel is lower than the level measuring point, the saturated steam on the upper part of the vessel is easy to be converted into condensate water when it is cooled, which will lead to attachment or flow of condensate water on the outer shell at level measuring point, so the output signal shows instable. 3.2 Improvement Measures According to the root causes analysis, the corresponding improvement measures in test equipment, test methods and detector’s structural design are implemented in the level function test to reduce the generation of condensate when the level measuring point is exposed to saturated vapor.

678

W.-J. Huang et al.

For the improvement in test equipment, heating and heat preservation devices are added at the top of test pressure vessel. For the improvement in test methods, the following measures are taken: (1) In the process of level falling, the water is directly discharged out of the test pressure vessel, which is more similar with LOCA; (2) The speed of rising and falling water level is adjusted properly and controlled in the range of 2–6 mm/s; (3) Turn off the heating device at the middle of the container during the water level rising and falling; (4) Under high temperature conditions, the times of water level rise and fall are appropriately increased to stabilize the vapor and liquid states in the vessel. For the improvement in detector’s structural design, since the contactor is the key element to the level thermocouple to implement its function, the electric heater mounted at level measuring point is moved to the end of the level thermocouple contactor for better evaporation of condensate water generated on the outer shell. Figure 4 shows the modification of design.

Fig. 4. Modification on structural design of the level measuring section

Through the above measures, the process of vapor-liquid conversion is to slow down in the process of water level rise and fall, and reduce the generation of condensate water on the upper part of the test pressure vessel and on outer shell.

4 Result After implementation of the improvement measures, functional test is carried out again with two samples of level detector to verify the effect of improvement. In the improved level function test, the temperature difference curves of two samples have been improved obviously under high temperature of 200 °C, 250 °C, 280 °C, 300 °C, 320 °C and 340 °C, and the thermal response temperature difference amplitude of the samples are all greater than 5 °C within 30 s, which meets the test requirements, and the thermal response temperature difference amplitude of each level point show good consistent. Figure 5 shows the improved output curves of two samples at 200 °C. Comparing with Fig. 3, the fluctuation amplitude of the temperature difference curve of the level measuring point in Fig. 5 is obviously improved, and the shape of the curve

Improvement in Test Methods and Structural Design

679

Fig. 5. Improved output curves at 200 °C

is relatively smooth and consistent. Based on the test results, the function integrity of the level detector can be proved.

5 Conclusions It is very important to monitor the coolant capacity of primary loop by in-core level detector [8], especially in accident or post-accident condition. Functional test is an important means to verify the performance of the level detector. Due to the incomplete test equipment and methods, the output curve fluctuates greatly, so it is hard to determine the function integrity of the detector. Through principle analysis, it is found that the attaching and flowing of condensate water generated on outer shell of the detector’s level measuring point is the root cause of the test issues. In order to eliminate the influence of condensate water, improvement measures are implemented in test equipment, test methods and detector design, after that the improvement is verified at same temperature platforms and the real performance of the detector is fully reflected. The process of finding, analyzing and solving test issues is quite useful to deeply understand the relevant physical principles of level measuring by temperature difference and has a strong guiding significance for the future design work and nuclear safety reviewing.

References 1. He, Z.-X., He, P., Chen, X.-K., Xu, T.: Design of core cooling monitoring system in HPR1000. Nucl. Power Eng. 39(5), 154–158 (2018) 2. Zhao, C.-S., Tan, X.-N., Zhao, D.-W.: Research on equipment qualification of reactor core operation status monitor. Electron. Instrum. Cust. 26(09), 78–81 (2019)

680

W.-J. Huang et al.

3. Huang, Y., Guo, W., He, B.-Y.: Design of in-core instrumentation system for a compact small modular reactor. Electron. Instrum. Cust. 27(09), 58–61+20 (2020). 4. He, Z.-X., Yu, J.-H., Li, X.-F., Gou, T.: Design of core cooling monitoring system based on SOP. Nucl. Power Eng. 33(5), 107–110 (2012) 5. Wang, W.-R., Jiang, Y.-Y., Duan, Q.-S.: The level monitor system for nuclear reactor vessel during and after accident. Nucl. Electron. Detect. Technol. 17(3), 168–171 (1997) 6. NB/T 20069-2012 Performance Monitoring Test of Instrumentation Channels Important to Safety in Nuclear Power Plants. Atomic Energy Press, Beijing (2012). 7. IEC 60780-1998 Nuclear Power Plants – Electrical Equipment of the Safety System Qualification. International Electrotechnical Commission, Geneva (1998). 8. Wang, X.: The water level measurement of PWR plant coolant system. Electron. Instrum. Cust. 25(01), 85–87 (2018)

Discussion of Intelligent IP Camera Application in Nuclear Power Plant Video Monitoring System Lei Li1(B) , Fei-Yang Sun1,2 , Zheng-Tao Chen1 , and Ya-Jie Tian1 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China

Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected] 2 Sino-French Institute of Nuclear Engineering and Technology, Sun Yat-sen University, Guangzhou 510275, China

Abstract. This article mainly discusses the application of intelligent IP camera in the video monitoring system of nuclear power plant. Firstly, three monitoring requirements of existing video monitoring system of nuclear power plant are analyzed, and the advantages and characteristics of intelligent IP camera are given. On this basis, the monitoring scenarios that can be realized by the video monitoring system of nuclear power plant based on IP camera are given. It is concluded that the application of intelligent IP camera can greatly improve the digital and intelligent level of nuclear power plant monitoring system. Keywords: Nuclear power plant · IP camera · Intelligence

1 Introduction Video surveillance system has always been an important auxiliary system for nuclear power plant safety. In daily monitoring, it can minimize the workload of inspections and save labor costs; in areas with high radiation levels such as nuclear islands, it can reduce the health risks of workers; in emergency situations, the monitoring system combined with other sensors alarms immediately, and the staff can intuitively and quickly understand the real-time status of the monitoring point. Industrial surveillance systems before 2004 usually used analog cameras as the video capture part [1]. With the rapid development of informatization and digital technology, the demand for monitoring systems in nuclear power plants has gradually increased. A complete video surveillance system generally consists of five parts: video capture, transmission, storage, display/control, and management [2]. As the forefront of the surveillance system, the importance of the video capture part is self-evident. The application of smart IP cameras can well meet the needs of nuclear power plants for modern monitoring systems.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 681–687, 2021. https://doi.org/10.1007/978-981-16-3456-7_68

682

L. Li et al.

2 Video Surveillance Requirements of Nuclear Power Plants The Daya Bay Nuclear Power Plant, the first large-scale commercial nuclear power plant in mainland China, started construction in 1987, when the digital technology had not yet been developed. Similarly, early nuclear power plants were subject to technical limitations, and the monitoring systems in nuclear power plants were only used to ensure the most basic safety requirements. However, with the development of digital technology, the need for monitoring in nuclear power plants has gradually increased. The following analyzes the monitoring requirements of modern nuclear power plants from three aspects. 2.1 Security Requirements Ensuring the safety of nuclear power has always been the primary principle in nuclear power engineering. Potential dangers in operating nuclear power plants mainly come from several sources: disasters caused by fatigue/defects of equipment and materials, risks caused by illegal intrusion by unauthorized personnel, and hidden dangers caused by disoperation of staff. An intelligent monitoring system can predict these risks, realize timely detection, timely alarm and automatic processing. Security requirements can be further reflected in the high requirements for the clarity of real-time monitoring images, the high requirements for the accuracy and timeliness of the alarm and early warning system, and the requirements for the video monitoring system to be linked with other systems to ensure safety. 2.2 Intelligent Requirements Intelligent technology can greatly improve security and further save labor costs. In terms of picture clarity, based on the high-definition of the video surveillance picture, an intelligent algorithm is needed to further process the noise on the surveillance picture to provide a better quality video picture. In terms of personnel, due to rotation factors, there is a large flow of personnel in nuclear power plants. At the same time, due to the large area of the site, the location of the staff is relatively scattered, so an intelligent system is required to identify and count the personnel. In terms of disasters, when a disaster occurs at a monitoring point, smoke sensors, temperature sensors and other equipment will give an alarm. Modern video surveillance also requires disaster sensing and early warning functions, and can be linked to other sensors to improve the accuracy of judgment. 2.3 Upgrade Requirements In recent years, network technology and intelligent technology have advanced by leaps and bounds, and many new technologies have been proposed every few years, such as edge computing and big data. These technologies can be applied to the video surveillance system of nuclear power plants. Nuclear power plants have the characteristics of long construction period and long service life. Therefore, during the operation of nuclear power plants, the initially designed video surveillance system must be upgraded and iterative. Moreover, due to the complexity of the site in the nuclear power plant, the equipment and engineering required for upgrading and transformation need to be as small as possible.

Discussion of Intelligent IP Camera Application in Nuclear Power Plant

683

3 Functions and Advantages of Smart IP Cameras Industrial surveillance systems before 2004 usually used analog cameras as the video capture part. For the analog video signal collected by the analog camera, even if the hard disk video recorder (DVR) is used for digital processing and storage, it cannot guarantee to meet the storage requirements. In addition, the analog signal data transmission capacity is limited, and it is difficult to meet the increasingly high bandwidth requirements of video surveillance systems. It is also difficult to achieve flexible data collection, scheduling, and synthesis of related image data based on analog signals. Smart IP cameras can perfectly solve the above-mentioned shortcomings of analog cameras. 3.1 Easy to Manage/Expand/Upgrade With the development trend of intelligent nuclear power plants and the high emphasis on nuclear power safety, more and more points need to be monitored in nuclear power plants. The analog camera transmits the analog video signal through the coaxial cable, which is converted into a digital signal by the DVR, and then transmitted to the terminal; when the analog monitoring system needs to increase the front-end analog camera, if the monitoring points are distributed far, the front-end DVR must be added, so the configuration is less flexible [3]. The IP camera transmits the processed digital signal, without DVR, the video content is directly transmitted to the server and terminal through the transmission network, it is very convenient to add the camera. In addition, although the digital video system built by smart IP cameras has slightly more one-time equipment investment than conventional analog video networks [4], smart IP cameras have huge advantages in terms of installation, functions, and later expansion [5], it has a high cost performance. The upgrade of this camera is also very convenient. The algorithms of intelligent functions will be continuously upgraded and iterated with the advancement of technology. Smart IP cameras can directly achieve targeted algorithm upgrades through OTA. The amount of upgrading works is almost zero. 3.2 Bandwidth Saving The increase of video surveillance points will also bring about video transmission problems. The configuration of high-definition cameras can greatly improve the observability of the monitoring picture, and can also lay a good foundation for the intelligent video function, improve the accuracy of intelligent video analysis, and can also make up for the monitoring picture noise and picture distortion caused by harsh environmental conditions such as irradiation, wind and sand, and humidity. But high-definition cameras can also bring some problems. The main reason is the high space occupation and high bandwidth occupation of high-definition video. The more video monitoring points, the higher the video resolution, and the higher the bandwidth required to transmit video signals. High-bandwidth transmission is theoretically achievable, and can be used to transmit signals by arranging multiple optical fibers and network cables. However, this method also has certain drawbacks. Firstly, it is inconvenient to access more surveillance cameras. Generally, the life of nuclear power

684

L. Li et al.

plants is 40 years. After decades, the development of video information analysis technology and unmanned and intelligent nuclear power plants will have a great improvement so it will require more monitoring points. Secondly, it will increase construction costs and equipment procurement costs. In order to improve bandwidth utilization, the usual method is to build a video compression module in the IP camera. At the same resolution, the smaller the compression ratio of the video file, the higher the picture quality, but the larger the bandwidth occupied. On the contrary, the higher the compression ratio, the smaller the bandwidth occupied, but the corresponding picture quality will also be affected. In addition, the signal transmitted through video compression will generate noise signals. If the intelligent analysis system analyzes and processes such video, there will be a greater error rate. Choosing an IP camera embedded with intelligent functions can greatly save bandwidth. The bandwidth occupancy can be adjusted by designing a monitoring system strategy, and the operating status can be divided into three types: normal operating status, abnormal condition status, and manual viewing status. Under normal operating conditions, only a small number of camera monitoring images will be displayed on the terminal. The staff can customize the monitoring images that need to be automatically displayed at each time period. After the other cameras complete the intelligent video function inside the camera, they can use network cables and optical fibers. It is enough to transmit data information, and the bandwidth requirement will be much smaller than that of video transmission. The data information needs to include complete camera equipment status information: camera IP address, camera MAC address, PTZ, lighting equipment, PTZ tilt rotation angle information, lighting brightness and other information. Some other information also need to be extracted from the monitoring screen: shooting time, overall screen brightness, signal-to-noise ratio, people in the screen and other information. Under abnormal conditions, the transmission line mainly transmits high-definition video at abnormal monitoring points and nearby monitoring points, while other cameras only transmit data information, ensuring the timeliness and high-definition of video transmission. In the manual viewing state, the staff can specify the video screen of the monitoring point to be displayed on the terminal screen, the line will give priority to the video signal of the specified camera, and other cameras will transmit the video signal or data information according to the demand. 3.3 Front-End Intelligent Functions Smart IP cameras can use the built-in SOC chip to perform smart video functions, instead of compressing all video signals and transmitting them to the terminal analysis platform for analysis. The intelligent functions commonly used in nuclear power plants mentioned in Sect. 4 can be embedded in the SOC chip according to the purpose of the camera. The videos on the front end are all uncompressed high-definition original images, and the intelligent function can exert the best effect.

Discussion of Intelligent IP Camera Application in Nuclear Power Plant

685

4 Intelligent Video Function The monitoring and operating environment of nuclear power plant is different from that of other factories or cities. From the early application research, several application scenarios can be summarized as follows: • The image of nuclear island area monitoring is de noised, and the white noise caused by nuclear radiation is removed by the algorithm, which affects the image clarity and integrity. • Fire, leakage and other disaster monitoring, using the algorithm to automatically identify the scene of fire, liquid overflow, etc., when the above situation occurs, the system combines with other sensors to conduct video linkage, calculate the recognition accuracy, and push the scene monitoring screen to the operator display screen, and frame the fire location, display credibility, disaster forecast development trend and other data and information. • In real-time monitoring images, people and objects out of plan will be tracked automatically when they move. After the unplanned motion detection is triggered for a period of time, the alarm will be sent to manual processing and verification. • Face recognition is carried out to identify the identity of the field operator. Compared with the work tasks of the field operator, if the operator enters the wrong area by mistake, the system will push the reminder and warning information to the operator’s PDA. • Statistics of the number of people entering and leaving the plant for security related purposes. • Monitor the forbidden area and push the alarm information to the security room and the main control room when there are unauthorized personnel entering the forbidden area. • Through the pick-up, the noise generated by the normal operation of the machine is removed, and whether the sound signal is abnormal is analyzed and compared with the video information. • The abnormal information is stored, and the ordinary video recording is deleted after 7 days. The abnormal scene information is marked with date, occurrence time, end time, type, location, processing method and result of the exception, and then it is filed into the memory. In summary, intelligent functions can be divided into two types: intelligent processing of video images and intelligent analysis of video content. 4.1 Intelligent Processing and Optimization Due to the impact of the camera’s environment or the accidental failure of the camera’s own parts, the content of the monitoring screen will be incomplete or part of the screen area will be wrong. The camera needs to eliminate these interferences and noises through a preset algorithm. Common interferences that need to be dealt with are:

686

L. Li et al.

• Blurred picture recognition and early warning alarm. When the screen is blurred, determine the cause of the blur based on the historical screen, and perform operations such as automatic focusing to confirm whether the screen is normal. If the status cannot be confirmed, an alarm will be sent to the terminal. • Detection and treatment of problems such as screen freezing and screen jitter. When this kind of problem occurs, check whether the PTZ equipped with the camera is abnormal, link other sensors to check whether there is any abnormality such as vibration at the location, and automatically restart the camera to confirm whether the problem disappears. If the status cannot be confirmed, an alarm will be sent to the terminal. • Detection and processing of abnormal brightness and color. When such a problem occurs, self-check whether camera’s supporting lighting is abnormal. The camera will be automatically restarted to confirm whether the problem has disappeared, and if the situation cannot be confirmed, an alarm is sent to the terminal. For cameras in special locations, corresponding processing optimization settings can also be made. • For the camera in the irradiated area, it is necessary to preset the image algorithm to eliminate the white noise caused by the irradiation. • For cameras in outdoor areas or areas with frequent brightness changes, it is necessary to preset the brightness change recognition algorithm to match the use of lighting. 4.2 Intelligent Analysis The intelligent analysis of the video should be set according to different application scenarios and different purposes of the camera. The following analysis is a common intelligent analysis. The cameras at each checkpoint must have an intelligent analysis function for counting the number of people at entrances and exits, and be able to recognize the faces of personnel, and link the personnel information database for comparison. The cameras at the main equipment points must have the analysis function of disaster warning and alarm. Common disasters include fires, container leaks, and broken pipes. Algorithms with high recognition rates for these disasters can be applied [6]. It is also possible to train the algorithm according to the special scenes of the nuclear power plant to further improve the recognition accuracy of the algorithm in the video surveillance scene of the nuclear power plant. Smart IP cameras already have the function of identifying disasters [7, 8], and they also need to compare data from other sensors to reduce the false alarm rate. If there is a camera false alarm, the video information at the time of the false alarm can also be used to train the recognition algorithm to improve the accuracy of the algorithm.

5 Summary Smart IP cameras have the advantages of convenient installation and upgrade, bandwidth saving, and front-end intelligence. They can efficiently use the intelligent functions of

Discussion of Intelligent IP Camera Application in Nuclear Power Plant

687

video to realize the purposes of replacing manual operations, performing information statistics, and warning of disasters. Smart IP cameras can further enhance the overall automation and intelligence of nuclear power plants, saving costs and improving the safety of nuclear power plants.

References 1. Ya-Hua, S.: Application and prospect of industrial video surveillance system in the field of nuclear power production. In: Progress Report on China Nuclear Science and Technology (Vol. 4)-Proceeding of the 2015 Annual Conference of the Chinese Nuclear Society, vol. 3 (Nuclear Power Subvolume) (2015) 2. Ke, X., Liao, Z.: Design and application of video monitoring system of nuclear power plant based on IP network. In: Proceedings of 2017 Annual Conference on Power Industry Informatization (2017) 3. Ming-Zhao, W., Yi-Rong, C.: The application of IP HD camera in the video surveillance of water conservancy project. Sci. Technol. Innov. Appl. 22, 218 (2016) 4. Fei, C.: Design and implementation of closed-circuit television surveillance system in the factory. Electric Surv. Des. (2015) 5. Dong-Qing, W.: Application and development of IP HD camera. Archit. Eng. Technol. Des. 31, 3450 (2018) 6. Xiu-Ling, Z., Dai-Biao, H., Cheng-Cheng, Z.: Design of MPCANet disaster image recognition model for deep learning. Infrared Laser Eng. 47(2), 40–45 (2018) 7. Jin-Ban, L., Jie-Hui, L.: Industrial Television Monitoring System Training Course. Chemical Industry Press (2011) 8. Li-Hong, G., Zhao-Kai, X.: Research on application of digital closed circuit television system in thermal power plant. Data Technol. Appl. 8, 100–101 (2013)

Research About Smart Power Plant for Chinese Heavy-Duty Gas Turbine Development and Application Guo-Gang Shu, Peng-Fei Gu(B) , Xue-Fei Zhai, Bao Heming, and Cao Ying China United Gas Turbine Technology Co., Ltd., Beijing, China [email protected]

Abstract. With the development of artificial intelligence technology, recently the concept about smart power plant has been discussed widely, and also has been used in a lot of industries even nuclear power plant. Chinese heavy-duty gas turbine (CHGT) development and application (D&A) is one of national science and technology major projects and being implemented by China United Gas Turbine Technology Co., ltd (UGTC). According to the progress of CHGT D&A, this paper firstly points out the framework how to build smart power plant and digital twin in the process of CHGT D&A for different phases, such as engineering phase, manufacture phase, construction phase, commissioning phase, operation and maintenance phase. Secondly the paper describes two building modes which are forward and backward modes, and then the contents have been discussed based on the different conditions in practice of the power plant. Finally taking backward mode as an example, the paper provides a feasible technical solution. Therefore it would be benefit for the future research about smart power plant for CHGT D&A. Keywords: Smart power plant · CHGT · Digital twin · Forward and backward modes

1 Introduction 1.1 Smart Power Plant Summarize The integrated intelligent energy revolution is an irreversible trend in the future. With the artificial intelligence technology developing rapidly, the smart power plant becomes a hot topic that discussed a lot in recent years. It means that the traditional power plant has more choices in improving plant operation, investment decision-making, product lifecycle management with the help of artificial intelligence, which benefits areal energy structure adjustment [1, 2]. Digital twin is a vital tool that using digital method to reconstruct a virtual representation of physical object or system across its life-cycle. Real-time data, mechanism models and mathematic models are used to enable learning, reasoning, and dynamically recalibrating for improved decision making [3]. Digital twin transforms complex product development, manufacturing, operation and maintenance in the real world into the © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 688–695, 2021. https://doi.org/10.1007/978-981-16-3456-7_69

Research About Smart Power Plant for CHGT D&A

689

virtual world digital information, which is relatively low cost. Through the digital twin data iteration, continuous model optimization, the optimal solutions are obtained and variety real world solutions are given. Analysis of the data from the connected sensors, combined with other sources of information, allows engineers to understand not only how plants are performing, but also they will perform in the future [4, 5]. This manuscript firstly introduces the framework how to build smart power plant in the process of CHGT D&A for different phases, such as engineering phase, manufacture phase, construction phase, commissioning phase, operation and maintenance phase. Secondly the paper describes two building modes which are forward and backward modes, and then the contents have been discussed based on the different conditions in practice of the power plant. Finally taking backward mode as an example, the paper provides a feasible technical solution.

2 Different Contents in Different Phases The process of CHGT D&A is including different phases, such as engineering phase, manufacture phase, construction phase, commissioning phase, operation and maintenance phase. Different contents of smart power plant and digital twin would been done in different phases. (As is shown in Fig. 1).

Fig. 1. Smart power plant development logical diagram

2.1 Engineering Phase The product lifecycle management (PLM) and teamwork are the core of engineering phase. Through the innovative digital information network, the scatted developers and

690

G.-G. Shu et al.

testers in different field are effectively connected to the unified research and development (R&D) data center. Each member can participate in the PLM by data center, and easily extract the latest information related to the product, they can make optimal decision during engineering phase. The basis of PLM and teamwork in CHGT is to standardize management and control in product development, technical documentation, design process and bills of materials (BOM) through a unified R&D data center. Based on the standardized management and control, more departments can be involved to establish effective R&D and design process, test verification process, quality control process, cost control process and project management process, so as to integrate engineering technical documents for 3D product model and provide necessary conditions for collaborative work in manufacture phase. 2.2 Manufacture Phase In manufacture phase, the collaborative function of product and process development is established between R&D team and manufacturing team through cloud platform, with product design and manufacturing planning information as the core and digital 3D model as the carrier, so as to realize “AE integration” of gas turbine [6, 7]. CHGT regards overall performance and quality control as the core, relies on the professional heavy duty gas turbine industry alliance platform, integration of product design and manufacturing are realized. Gas turbine product research and development, engineering design, gas turbine manufacturing, turbine auxiliary equipment and other business are integrated as one part. In order to jointly promote high quality and efficient development for heavy duty gas turbine industry cluster, CHGT takes the core technology of heavy gas turbine as the ability support, and cooperates with relevant industrial chain enterprises for independent innovation. The data flow chain of heavy duty gas turbine products is established through cloud platform, which can add and update engineering technical documents related to data carrier (3D model), and provide technical basis for power plant construction in the next stage. 2.3 Construction Phase The key point of construction phase is making full use of the results of design and manufacture integration. Bringing in the building Information modeling system (BIM) will combine plants project management information, building design model and the R&D digital outputs. By using the Industrial Internet of things (IIoT), 5G and the application of GIS technology in construction phase, the reflect relation between the real power plant and its digital model is set up, reaching the aims of ultimate digital twin [10]. Digital twin can benefit plant constructing in many views. For example, they can be engineering data management, daily work coordination and supervision, work preparation, process monitoring, subcontractor management, purchasing and warehouse management, HSSE (health, safety, security and environment) management, work permits management and background information management. Significance of setting up twin body is not only to realize the reflection between real and digital world, but also to promote the China heavy duty gas turbine power industrial chain. Offering a real-time feedback of power plant operation information for commissioning, and O&M phase.

Research About Smart Power Plant for CHGT D&A

691

2.4 Commissioning Phase Digital twin is full used in the commissioning phase. By using digital twin, all detailed information needed for commissioning management can be pre-defined and can realize the automatic management of the documents, the pre-commissioning work efficient is promoted a lot. On the base of completing the reflections of power plant equipment and system in construction phase, digital twin can realize various digital process system monitoring and simulation. Commissioning staffs will compare the performance of the system, analyse the process value and solve all the inconsistencies. Like construction phase, digital twin can also provide the plant engineering data management, daily work coordination and supervision, work preparation, process monitoring, subcontractor management, purchasing and warehouse management, HSSE management, work permitting management and background information management function. 2.5 Operation and Maintenance Phase Operation and Maintenance Phase mainly use digital products of smart power plant and real-time operation and maintenance data provided by industrial Internet of Things (IIoT) system, performance monitoring production and operation simulation is carried out, system fault points are found and optimized operation scheme is provided. It includes the ‘as-built’ 3D model which is managed by a Configuration Management tool. This tool includes a set of systems engineering processes for establishing and maintaining consistency across Structures, Systems and Components (SSC) during O&M. Different taxonomies are defined at each level to accurately represent the engineering complexity of the asset. There is an Enterprise Asset Management tool (EAM) which manages all the maintenance activities such as preventive and corrective maintenance. This is the place where reliability centered maintenance initiatives are defined and it also includes other capabilities related to the asset lifecycle management like aging, degradation mechanisms and remaining useful life estimation. The EAM tool follows ISO 55000 which describes best practices in physical asset management [8]. Analytic & Data Science tools and algorithms will be provided to early detect process anomalies, patterns and data trends. This early detection is critical in asset management such as component integrity assessment and condition-based maintenance. As more asset live data is collected, the focus will evolve from descriptive analytic towards machine learning techniques. This will be particularly important to prevent failures and asset health monitoring, that is to determine when to replace equipment or components based on actual usage and operating conditions exposure. Additionally, maintenance tasks reports and information shall be crossed and linked with the predictive monitoring system in order to enhance the diagnose and forecast. Performance Monitoring manages and monitors the performance and availability of systems. It identifies and detects any degradation in performance of components and prevent failures impacting safety, generation and operating cost. Performance monitoring tracks a predefined set of KPIs and displays alarms when certain thresholds are not met. Performance monitoring is related to asset health monitoring.

692

G.-G. Shu et al.

Predictive maintenance and condition-based maintenance will be enabled by a platform gathering data coming from sensors allocated in critical components. This platform can be either a conventional sensor technology or an IIoT platform. The IIoT infrastructure will satisfy availability requirements and ensure business continuity meets the standards in ISO 22301 during all operational states within O&M [9]. This will help to optimize the maintenance intervals and determine a suitable maintenance method.

3 Building Modes As is defined the five phases of smart power plant construction. There are two modes can be referenced to accomplished the CHGT D&A process. One is the forward mode, the construction route is consist with the project forward direction, one phase handover to next after the previous aims are achieves. Another is the backward mode, it is an entirely different method to develop the smart power plant. The original phase is chosen basing on the project practical situation, which is related to schedule, budget and time costs. The beginning of the work can be at any phase. Depth and integrity of the job depend on the resources and data handover from forward phase. 3.1 Forward Mode As is mentioned in the outline of this chapter. Forward mode means that the construction route is idealization from engineering phase to O&M phase. It means that conditions that include time schedule, budget and date meet with the requirement of idealized situation. Just as shown in Fig. 2. The direction of construction route follows with time axis.

Fig. 2. Forward mode diagram

Research About Smart Power Plant for CHGT D&A

693

3.2 Backward Mode Backward mode is a flexible way to construct an intelligent power station. Without strictly limitation to scheduled plan and budget, the job can be done on the foundation of actual situation. After assuming the target, corresponding requirements are determined for previous phases. For example, Fig. 3 is a typical backward mode which is starting point is operation and maintenance phase. Taking UGTC as an example, with the establishment of gas turbine test power plant, the starting point of its reverse development is in the commissioning phase. Through the establishment of mature gas turbine, the advanced experience of mature gas turbine in the construction and commissioning phase is learned, and at the same time, a set of digital twin power plants which have been verified by practice have been established. It can provide experience for the construction of CHGT D&A in future power plant tests, and even realize the pre-commissioning and pre-operation capability before production and manufacturing through digital twin.

Fig. 3. Backward mode diagram

4 Technical Solution For a new project, forward mode is definitely the best mode for executing. For the R&D project, forward mode has a lot of uncertainties. Construction of smart power plant needs to find a proper breakthrough point, combine with the schedule, budget and benefit analysis, then set a good road map. For CHGT project, R&D units and commercial units can perform the technical route differently, the related influence factors are not consistent, especially the research and development unit has a lot of uncertainties. Therefore using backward mode to construct the smart power plant is one of the more practical scheme in actual execution process.

694

G.-G. Shu et al.

4.1 Process Analysis To enable the functionality of the power plant life-cycle management, process analysis offers a route to accomplish the CHGT D&A. The gas turbine test power plant of the CHGT project includes the test benches, commercial gas turbine, and test gas turbine. The construction progress of the test gas turbine is closely related to the R & D progress, the results of important tests, and the construction of the test bench, and there are many uncertainties. In the R & D and manufacturing process of heavy-duty gas turbine, due to the constraints of key R & D progress nodes such as casting of high-temperature components, pneumatic structure design and rotor structure design, reverse R & D is more conducive to the whole development process. Therefore, carefully analyzing the construction process of the intelligent power station of CHGT, the following approaches will be adopted. Through the construction of a commercial gas turbine, the digital twin power plant is built to collect and sort out the operation data. On this basis, the digital simulation platform of R & D and AE integration platform is built, and the data flow between the digital simulation platform and AE platform is established, to provide an effective guarantee for the operation and maintenance of the R & D units. 4.2 Data Flow Analysis Through the construction and operation of a commercial gas turbine, combined with the requirements of building AE integration platform with Shanghai Electric Group, the data of civil engineering, process, I & C, pipeline, electrical, and important equipment (pump, valve, steam turbine) of R & D unit are analyzed, and a 3-D real-time platform based on BIM technology is created, and data flow with digital twin as the core is formed. One is the time dimension data flow, which is connected with the commercial gas turbine construction through the AE integration platform, forming the engineering phase, manufacturing phase, construction phase, commissioning phase, operation and maintenance phase. The data of each phase can be researched in the time dimension, to realize the data traceability of the whole product life cycle. The other is the operation data flow between different systems to collect and sort out the data related to the operation and maintenance of commercial gas turbine, and realize the data flow synchronization with the digital twin units, to construct the operation and maintenance real-time management system of R & D units. 4.3 Budget and Benefit Analysis Budget and benefit are technical and economic analysis items that must be carried out at the beginning of project construction. Huge investment and bad income are not acceptable for any project. For the CHGT project, it has both the nature of commercial operation and the consideration of R & D investment. Referring to the conclusion of process analysis in Sect. 4.1, it is not feasible to analyze the budget and income step by step in the forward mode. However, it is not feasible to ignore the relationship between cost and benefit. It is also a way to encourage R & D to consider the economic benefits of

Research About Smart Power Plant for CHGT D&A

695

R & D investment from the perspective of revenue. For example, the success key of R & D depends on the effectiveness of gas turbine operation. In other words, to ensure the effective operation of R & D, whether the relevant construction contents of the intelligent power plant can play a guaranteed role, investment is not necessarily economic benefits, but guaranteed benefits. Through the analysis of investment and guaranteed benefits, it can be determined that which are the necessary options of an intelligent power station, and which are the optional options of icing on the cake. In this way, in the construction process of an intelligent power plant, a better implementation path can be chosen.

5 Conclusion Chinese heavy-duty gas turbine (CHGT) development and application (D&A) is one of national major projects and being implemented by UGTC. The use of smart power plant has been very helpful to implement the research and development. This paper points out the framework how to build smart power plant in the process of CHGT D&A and describes two building modes which are forward and backward modes. As an example, the backward mode has been discussed as a feasible technical solution. Following with the new progress of smart power plant building, it would be benefit for the future research about smart power plant for CHGT D&A.

References 1. Liu, Z., Karimi, I.A.: New operating strategy for a combined cycle gas turbine power plant. Energy Convers. Manage. 171 (PT. 1083–186), 1675–1684 (2018) 2. Rahimiyan, M., Baringo, L.: Real-time energy management of a smart virtual power plant. IET Gener. Transm. Distrib. 13(11), 2015–2023 (2018) 3. Uhlemann, H.J., Lehmann, C., Steinhilper, R.: The digital twin: realizing the cyber- physical production system for industry 4.0. Procedia Cirp 61, 335–340 (2017) 4. Tao, F., Cheng, J., Qi, Q., et al.: Digital twin-driven product design, manufacturing and service with big data. Int. J. Adv. Manuf. Technol. 94, 3563–3576 (2018) 5. Suvarna, M., Büth, L., Hejny, J., et al.: Smart manufacturing for smart cities—overview, insights, and future directions. Adv. Intell. Syst. 2, 2000043 (2020) 6. Shu, G.G.: AE strategy, realize China’s engineering dream. Tsinghua Bus. Rev. 23 (Z2), 20–27 (2014) 7. Shu, G.G., Liu, X.: AE mode of engineering management -- selection and practice of CGN. PKU Bus. Rev. (09), 106–113 (2013) 8. Asset management — Overview, principles and terminology. ISO 55000 9. Security and resilience — Business continuity management systems — Requirements. ISO 22301 10. Organization and digitization of information about buildings and civil engineering works, including building information modelling (BIM) — Information management using building information modelling. ISO 19650

Intelligent Safety Monitoring System for Nuclear Power Plant Based on the Convolution Neural Network Xu-Tao Bai(B) , Dan-Dan Sun, Xiao-Chen Zhang, and Bao-Cheng Sun Suzhou Nuclear Power Research Institute, Suzhou 215004, Jiangsu, China [email protected]

Abstract. Based on the convolution neural network (CNN) technology, and the use of video monitoring equipment, an intelligent safety monitoring system for nuclear power plant is designed and developed, to realize the continuous monitoring of regional fire situation and whether the personnel wearing safety helmet or not. This paper introduces the framework of the system, the principle of convolution neural network and the feature recognition strategy, and describes the process of system training data acquisition and model training in detail. The 6month continuous measurement in nuclear power plant shows that this system is stable, accurate and timely, and can effectively improve the efficiency of field monitoring. Keywords: Nuclear power plant · Intelligent monitoring · CNN · Fire · Safety helmet

1 Introduction At present, more than 30 countries in the world have nuclear power plants, and the nuclear power accounts for more than 15% of the total power generation. China has 47 operating nuclear power units, 15 nuclear power units under construction, and 18 nuclear fuel cycle facilities. The total number of nuclear power units ranks the second in the world, and the number of units under construction ranks the first in the world. Nuclear power has become an important part of China’s energy structure. Safety is the most important basis of nuclear power development. According to the statistical result, more than 90% of all kinds of accidents in nuclear power plants are caused by unsafe state of objects and unsafe behaviors of people. And the highest proportion of unsafe behaviors is un-wearing safety helmet, which often leads to serious injury or death accidents. Among various accidents of nuclear power plant, the frequency of fire accidents is much higher than that of nuclear accidents. According to the statistical result of American Electric Power Research Institute, the frequency of nuclear power plant fires is about 0.14/ (plant year). This paper proposes an intelligent safety monitoring system for nuclear power plant based on the convolution neural network technology and video monitoring equipment, © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 696–705, 2021. https://doi.org/10.1007/978-981-16-3456-7_70

Intelligent Safety Monitoring System for Nuclear Power Plant

697

to realize the continuous monitoring of regional fire situation and whether personnel wearing safety helmet or not, which can be helpful for the safe and stable operation of nuclear power plant.

2 System Framework Design 2.1 A Subsection Sample Based on the image analysis and convolution neural network technology, using the monitoring equipment installed in the nuclear power plant and according to the background system analysis results, the intelligent safety monitoring system for nuclear power plant can monitor continuously the fire situation and the wearing of safety helmet in the monitoring area, so as to ensure the safe and stable operation of the nuclear power plant. The intelligent security monitoring system is mainly composed of front end equipment, video storage and forwarding equipment, alarm processing and displaying equipment and linkage control equipment. The specific system framework is shown in Fig. 1.

Fig. 1. Framework of the intelligent safety monitoring system

Front end equipment: including camera, video coding equipment, accessories and other equipment, mainly used for video signal acquisition. Video storage and forwarding equipment: including network switch, video storage device and other equipment, used for video storage and forwarding. Alarm processing and displaying equipment: including video analysis server, client server, display, alarm output and other equipment. The server connects with the video storage device through ethernet, extracts the video signal, analyzes the status of personnel wearing helmet and fire situation in the area in real time, then outputs the alarm signal.

698

X.-T. Bai et al.

Linkage controller: used to realize the whole alarm linkage control function of nuclear power plant through receiving the system alarm signal. By using the convolutional neural network, and integrating the computer vision technology and deep learning technology, the system analyzes, locates, identifies and tracks the image sequence of the camera without human intervention. Then on this basis the data are analyzed to realize the timely acquisition, response and processing of specific conditions, and to monitor the status of personnel wearing helmet and fire situation in the area.

3 System Technical Principles 3.1 Convolution Neural Network The convolution neural network is a multi-layer neural network using back-propagation algorithm for feature training, and its core is the convolution layer. Compared with other intelligent neural networks, it avoids the complex feature extraction process, reduces the complexity of network model, and is widely used in artificial intelligence [1], text processing, image recognition and other aspects. The basic convolution neural network is usually composed of convolution layer, pooling layer and fully connected layer. Features extracted by the convolutional neural network can be divided into three levels: low level, middle level and high level. The low level layer is used for extracting low-level features; middle level layer is used for extracting middle-level features; and high-level layer is used for extracting high-level features [2]. The basic structure of the convolution neural network is shown in Fig. 2.

Fig. 2. Basic structure of the convolutional neural network

The convolution layer is used for extracting the features of input data. It contains multiple convolution kernels, and is the core of the convolutional neural network [3]. The input data is extracted and compressed repeatedly by convolution kernel, and the high-level feature of the data is finally obtained, which can be used for recognition,

Intelligent Safety Monitoring System for Nuclear Power Plant

analysis and processing. Its mathematical expression is shown in formula (1). N −1 M −1    n,m c(x, y) = f ω u(x + n, y + m) + b

699

(1)

n=0 m=0

In formula (1), f (x) is the activation function, ωn,m is the corresponding weight of convolution kernel, N and M are the size of convolution kernel, u is the upper output feature, and b is the offset value. In the development process, the activation function f (x) uses the linear rectification unit (Rectified Linear Unit, ReLU), which is the nonlinear function, and its mathematical expression is shown in formula (2).    ωi αi ϕ = max 0, (2) i

In formula (2): ϕ is the output of ReLU, and ωi is the i-layer weighted, αi is i-layer input. The system trains the convolutional neural network to extract target features through preprocessing image data set, and detects image features combining with DARKENT network model, and trains various image feature extraction under the support of multi GPU based on Yolo v3 [4]. After feature extraction in the convolution layer, the output feature maps will be transferred to pooling layer for feature selection and information filtering. The pooling process is shown in Fig. 3. The initial characteristic sample size is 20 × 20, and the sampling window size is 10 × 10. After repeated sampling, the final sampling is 2 × 2. The data dimension is reduced by down sampling, but the feature statistical attributes can still reflect the image characteristics, and can effectively avoid the problem of over fitting.

a) Convolved feature

b) Pooled feature

Fig. 3. The pooling process.

3.2 Realization of Feature Recognition Based on the multiscale strategy, the DARKENT network structure uses three feature maps (13 × 13, 26 × 26, 52 × 52) to predict smoke, flame and helmet wearing. Three frames are predicted for each grid cell. The tensor dimension of the final output is

700

X.-T. Bai et al.

N ×N ×[3 × (4 + 1 + 80)]. Where N is the length and width of the feature map, 3 is the three predicted borders, 4 is the tx, ty, tw, th, 1 is the confidence level of the predicted borders, and 80 is the number of categories. The 9 anchor sizes on coco dataset are (10 × 13), (16 × 30), (33 × 23), (30 × 61), (62 × 45), (59 × 119), (116 × 90), (156 × 198), (373 × 326). There are three branch outputs predict all kinds of features in yolov3, the feature map of output is 13 × 13, 26 × 26, 52 × 52, and each feature graph uses three anchors. (1) The 13 × 13 feature map uses (116 × 90), (156 × 198), (373 × 326). (2) The 26 × 26 feature map uses (30 × 61), (62 × 45), (59 × 119). (3) The 52 × 52 feature map uses (10 × 13), (16 × 30) and (33 × 23). In yolov3, there are six anchors, which are (10, 14), (23, 27), (37, 58), (81, 82), (135169), (344319). Finally, the yolov3-tiny has two branches for prediction, and the size of feature map is 13 × 13 and 26 × 26. Each feature map uses three anchors for prediction.

4 Data Acquisition and Model Training The intelligent safety monitoring system mainly monitors the two status of fire and helmet wearing, so it is necessary to collect data samples for these two states respectively [5]. 4.1 A Subsection Sample According to the results of hazard analysis of nuclear power plant, different fire pictures are selected as data sets from three aspects of combustible type, scale size and smoke type. And the types of combustible materials can be divided into: gasoline, diesel oil, lubricating oil, natural gas (simulating hydrogen explosion), wooden pile, tire, cable electrical, etc. The scale size can be divided into: small size (first level sensitivity), medium size (second level sensitivity), large size (third level sensitivity). The smoke type can be divided into: thin smoke, white smoke, black smoke, smoke under low illumination, etc. 100,000 images including smoke or flame were collected, and 50,000 images of which were used as training data set together with 5,000 other interference images, and the remaining 50,000 images were used as test data set. The images of all training data sets and test data sets are preprocessed, and then the convolution neural network is used for training and learning. Each image in the dataset contains the corresponding classification label. An example of a dataset sample is shown in Fig. 4. 4.2 Safety Helmet Wearing Data Set Safety helmet can be divided into general safety helmet, electric safety helmet, antistatic helmet, cold helmet and helmet with goggles. Combined with the field application in nuclear power plant, the samples of universal safety helmet and safety helmet with goggles are mainly collected. Taking all kinds of safety helmets distributed in a nuclear

Intelligent Safety Monitoring System for Nuclear Power Plant

a) White smoke picture

c) Black smoke and flame picture

701

b) Flame picture

d) Large fire picure

Fig. 4. Example of flame and smoke sample.

power plant in recent five years as the basic samples, about 20,000 frames of monitoring video stream are intercepted, and about 30,000 pictures of safety helmet wearing are collected through the Internet to form the basic sample data set; then the samples are classified according to the size of the pictures and the complexity of the background [6]. In the basic sample data set, 30,000 images were randomly selected and 1,000 other hat interference images were collected as the training data set, and the remaining 20,000 images were used as the test data set. An example of a dataset sample is shown in Fig. 5. 4.3 Model Training After the training data set is obtained, the data set is trained by deep learning network model, and the training process can be observed and analyzed by visual tools, which is the change trend of loss function in the training process [7], and 200,000 iterations have been carried out in the training process of various monitoring items. The training results are shown in Fig. 6. In the safety helmet monitoring, when reaching 120,000 iterations, the loss tends to be stable. In the fire monitoring, after 160,000 iterations, the loss tends to be stable, and the training process basically meets the expectation. By increasing the number of GPUs, the parallel operation can greatly shorten the training time.

702

X.-T. Bai et al.

a) Single safety helmet

c) Safety helmet with goggles

b) Multiple safety helmets

d) Some safety helmet in different colors

Fig. 5. Examples of safety helmet.

Fig. 6. Convergence of loss function of model.

Intelligent Safety Monitoring System for Nuclear Power Plant

703

5 System Test 5.1 Simulation Test The fire test set and helmet test set are used to test and analyze the system, and the detection accuracy of the two monitoring items is calculated [8]. δ=1−

ρ+σ × 100% N

(3)

In formula (2): δ is the accuracy rate; ρ is the number of wrong inspection; σ is the number of missed inspection; N is the number of test samples. Taking the intersection over union (IOU) of predicted bounding box and ground truth bounding box as the matching basis [9], the result matching method is shown in Table 1. Table 1. Matching method Right detection

Error detection(ρ)

Missed detection(σ)

IOU > 0.8

The match was detected in the model, but the test set was not identified

The test set was identified, but no match (IOU > 0.8) was detected in the model

In the fire model test, 50000 samples are used as the test data set, and the detection accuracy rate reaches 92.73%; in the safety helmet model test, 20000 samples are used as the test data set, and the detection accuracy rate reaches 94.27%. 5.2 Field Test The actual fire monitoring experiments under different environments are carried out, and the experimental data are shown in Table 2. Table 2. Experimental data of fire identification Classification

Number of experiments

Number of successful identification

Accuracy

Identification duration

Indoor flame

50

50

100%

513 s

Indoor smoke

50

50

100%

1128 s

Outdoor flame

50

50

100%

711 s

Indoor smoke

50

50

100%

1330 s

704

X.-T. Bai et al.

Fig. 7. Pictures of fire test

The fire monitoring field test status is shown in Fig. 7. The safety helmet wearing monitoring experiments under different environments are carried out, and the experimental data are shown in Table 3. Table 3. Experimental data of safety helmet identification Classification

Number of experiments

Number of successful identification

Accuracy

Identification duration

Indoor

100

100

100%

6–21 s

Outdoor

100

100

100%

5–13 s

The safety helmet wearing status field test status is shown in Fig. 8.

Fig. 8. Pictures of safety helmet test

Through the simulation experiment and field measurement, the system has a good monitoring effect on far and near distance, indoor and outdoor flame, smoke and safety helmet under different conditions. The recognition accuracy and timeliness of the system

Intelligent Safety Monitoring System for Nuclear Power Plant

705

fully meet the practical requirements. After testing, the intelligent safety monitoring system was deployed on site in a nuclear power plant and continuously monitored for 6 months. The system was stable in operation, and found once grade 0 fire accident and 3 times of un-wearing safety helmet. At the same time, it can effectively ensure the operation safety of nuclear power plant.

6 Conclusion The intelligent safety monitoring system based on the convolution neural network can realize 24-h continuous monitoring of fire risk and the status of safety helmet wearing, by using existing camera equipment in the nuclear power plant. The field application results show that this system runs stably, monitors accurately and responds timely, which can improve the monitoring efficiency and be helpful for the stable operation of nuclear power plant. And this system can also be used in other special places, and provides new ideas for development of the other monitoring system.

References 1. Qi, Z.: The Research of Automatic Image Recognition Technology Based on Forest Fire Video Monitoring. School of Computer Science & Engineering, Chengdu (2017) 2. Jie, F.: Application and Research of Image Recognition Technology in the Monitoring System. North China Electric Power University, Baoding (2010) 3. Zhang, C.-Z., Gu, X.-T., Zhang, Y.-M.: Gesture recognition based on deep convolutional neural network. Radio Eng. 49(7), 587–591 (2019) 4. Shi, H., Chen, X.-Q., Yang, Y.: Safety helmet wearing detection method of improved YOLO v3. Comput. Eng. Appl. 55(11), 213–220 (2019) 5. Zhang, J., Sui, Y., Li, Q., et al.: Fire video image detection based on convolutional neural network. Appl. Electr. Tech. 45(4), 34–38, 44(2019) 6. Duan, S.-L., Gu, C.-L.: Research on the detection method based on the optimized BP neural network for the visual fire flame recognition. J. Changzhou Univ. (Nat. Sci. Edn.) 29(2), 65–70 (2017) 7. Koppe, G., Guloksuz, S., Reininghaus, U., et al.: Recurrent neural networks in mobile sampling and intervention. Schizophrenia Bull. 45(2), 272–276 (2019) 8. Yi, X., Bei-Bei, L., Wei, S.: Research on improved deep belief network classification algorithm. J. Front. Comput. Sci. Technol. 13(4), 596–607 (2019) 9. Zhang, R.-H., Tian, Z.-Z., Hu, J.-M., et al.: Target recognition in infrared imagery using convolutional neural network. In: International Conference on Artificial Intelligence Techniques and applications, pp. 170–178 (2016)

Improvement and Research on the Level Measurement of High Low Pressure Heater and Deaerator in Nuclear Power Plant Hai-Ying Fan(B) , Hua-Qing Peng, Xin-Nian Huang, Heng Li, and Xiao-Feng Li State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company Ltd., Shenzhen 518172, China [email protected]

Abstract. Based on the analysis of the high temperature high pressure heater level switch fault in the Conventional Island of the 1000 MW nuclear power unit, this paper adopts optimization of instrument selection by replacing level switch with level transmitter. By comparing the working characteristics of three most commonly used transmitters, guided wave radar liquid level transmitter is finally selected to improve the measurement reliability and stability of unit operation. The application of guided wave radar has provided the reference engineering experience for subsequent new projects or in service transformation. Keywords: Nuclear Power Plant · Guided wave radar liquid level transmitter · High temperature high pressure heater · Level measurement

1 Introduction These conventional Island heaters including High Pressure Feedwater Heater (AHP system), Low Pressure Heater (ABP system), Deaerator (ADG system), Moisture Separator Reheater (GSS system) are important high temperature high pressure second loop systems in Nuclear Power Plant. At present, float-type liquid level switches are widely used in 1000 MW Nuclear Power Plant Conventional Island ADG/ABP/AHP/GSS systems for level measurement, which are mainly used for water inflow protection in turbine, protection in feedwater pump and heater drains recovery pump, and control in heating stage isolated and drain valve. However, due to the influence of temperature and pressure in Conventional Island high temperature high pressure heaters, float level switch failures occur frequently. This problem has also been noticed during the construction of domestic nuclear power units. In order to ensure the reliability of unit operation, ADG/ABP/AHP/GSS Periodic Test Rules stipulates that on-line tests must be carried out on the liquid level switch in heater on a regular basis. Therefore, on-line test box of the liquid level switch is set up locally, and Periodic Test of the liquid level switch is carried out every three months. Even so, the malfunction of the liquid level switch and the misoperation of the test switchover switch contacts in the test box still occur frequently in one domestic operating Nuclear Power Plant, resulting in unit tripping and overpower. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 706–715, 2021. https://doi.org/10.1007/978-981-16-3456-7_71

Improvement and Research on the Level Measurement

707

Based on the analysis of the high and low pressure heaters and feedwater deaerating tank level measurement of nuclear power units, this paper adopts optimization of instrument selection and instrument configuration to improve measurement reliability and safety and stability of unit operation, providing reference engineering experience for subsequent new projects and in service renovation.

2 Faults Analysis of the Liquid Level Switch At present, the level switch of ADG/AHP/ABP/GSS mainly use products from SOR, MOBERY and Magnetrol manufacturers. The float switch is designed to open or close a circuit (switch) as a changing liquid level within a vessel passes the level of float (the switch point).The working principle of the liquid level switch is basically the same: When the process liquid level is above the switch point, Liquid Level Rise-Float Rotates Up, Magnet Rotates Down, Push Rod Actions, Contact B-B Disconnected, Contact A-A Closes (Fig. 1).

Fig. 1. Level rise-Level switch action

When the process liquid level is blow the switch point, Liquid Level Drop-Float Turns Down, Magnet Turns Up, Push Rod Moves, Contact B-B Closes, Contact A-A Disconnected (Fig. 2).

Fig. 2. Level down-Level switch action

708

H.-Y. Fan et al.

Based on the working principle and structure of the liquid level switch, the historical statistics and analysis of the faults of the liquid level switch show that the main causes of the faults of the liquid level switch are as follows (Fig. 3): 1 Float anomaly Connecng parts are jammed 2 Iron filings on magnets affect the interacon between magnets 3 Plasc deformaon of contact shrapnel occurs

Mobery

4 The contact is oxidized, the contact is not conducng or the on-resistance is large 5 The magnet connected to the contact point is not in place.

Analysis of Fault Causes of Nuclear Power Plant Level Switch

6 SN is damaged 1 Microswitch fault 2 Floang ball failure 3 Floang ball jamming

SOR

4 Abnormal acon of mechanical connecng rod 5 Float inflow 6 SN is damaged 1 Unable to self-hold, reset immediately aer acon 2 The acon force between that float and the magnec Column is insufficient

LK-4

3 The micro-switch of the instrument is jammed. 4 Loose, oxidized and short-circuited instrument wiring 5 SN is damaged

Magnetrol

IA

1 The float inside the buoy is jammed. 2 SN is damaged 1 The SN adsorpon magnet has insufficient magnec force 2 The heat preservaon construcon is not in place, and the magnesm is weakened due to high

Fig. 3. Faults analysis of the liquid level switch

The measurement environment of ADG/AHP/ABP/GSS liquid level instruments is in a high temperature high pressure environment. The liquid level switch components are mechanically connected and magnetically connected. Failure is inevitable after running in a high temperature high pressure environment for a period of time. It is an effective

Improvement and Research on the Level Measurement

709

treatment method to seek change of liquid level switch and improve the measurement reliability of liquid level instruments.

3 Selection Analysis on Replacing the Liquid Level Switch with the Liquid Level Transmitter 3.1 Replace the Liquid Level Switch with the Liquid Level Transmitter There is a regulatory and standard basis for replacing the liquid level switch with a liquid level transmitter. According to the energy industry standard NB/T 25039-2014 “Recommended practices for the prevention of water damage to steam turbines used for light water nuclear power plant”, Section 6.4 Deaerator Water Intake Prevention Specification: “6.4. 7 If an integrated control system is adopted, the minimum redundancy and reliability shall include at least the following contents: a)

The three sensors shall be installed directly on the deaerator water tank or on risers directly connected to the water tank and shall be isolated from each other for easy maintenance. b) The three sensors shall be distributed on different I/O cards. I. Three out of two logic is adopted to provide limit high III water level alarm and isolation deaerator. II. Three out of two logic is adopted to provide high II water level alarm and isolation deaerator. III. Three out of two logic is adopted to provide high I water level alarm [1].” At the same time, with the update of instrument technology, the advantages of analog instruments gradually emerge. Compared with liquid level switch SN, liquid level transmitter MN has more advantages in response time, accuracy, default value and fault judgment (Table 1). Table 1. Advantage analysis of analog instruments Scheme comparison

Advantages of analog instruments

Response time requirements The response time of valves action is generally in seconds, and the response time of analog instruments is below 1 s, which meets the requirements of valves control Instrument accuracy

According to the current development of instrument technology, the accuracy of analog instruments meets the requirements of system measurement and control

Default value

DCS control system can judge the fault of analog instruments, and can set default values to maintain the safe state of the unit when the instruments fail. However, DCS control system carries out on-line fault identification for switching value instruments and cannot set default values

710

H.-Y. Fan et al.

3.2 Measurement Principle and Selection of Level Transmitter Deaerator, high and low pressure heater level measurement transmitters commonly used in Nuclear Power Plant include differential pressure transmitter, displacer liquid level transmitter and guided wave radar liquid level transmitter. In this paper, the characteristics of three types of liquid level transmitters are compared (Table 2): Table 2. Comparison of main characteristics of three liquid level transmitters Contrast items

Differential pressure transmitter

Guided wave radar level transmitter

Displacer level transmitter

Accuracy

High (0.075%)

High (2 mm)

Low (0.5%–1%)

Reliability

High

High

Low

Influence of pressure change

Larger

Small

Larger

Influence of temperature change

Smaller

Smallest

Larger

Range

According to the differential pressure measuring range, the range is large

(0.08–75) m

0.3–3 m

Leakage point

Many

Less

Less

Installation

Relatively complex (generally requires condensing heater)

Simple (side mounting)

Simple (side mounting)

Maintenance workload

Relatively large (regular Less verification is required, and measurement is not allowed when negative pressure is applied)

Relatively large (1. Periodic verification; 2. Mechanical failure; 3. The float has sundries or frictions with the barrel chamber)

Application performance in thermal power and nuclear power

Many

Less and less

More and more

Deficiency of measuring liquid level by differential pressure transmitter in Nuclear Power Units in operation: The differential pressure transmitter cooperates with the balance container to measure the liquid level. The moisture in the balance container is drained or evaporated after the unit is shut down, resulting in inaccurate level measurement results of the unit at the initial start-up, which requires maintenance personnel to irrigate the balance container before start-up, affecting the overall input time of the system [3].

Improvement and Research on the Level Measurement

711

Deficiency of liquid level measurement by displacer liquid level transmitter in nuclear power units: Because LVDT is a coil structure, the coil and feedback rod are prone to disconnection due to vibration and wear caused by medium fluctuation, and LVDT replacement is required at regular intervals of 3C (3 refueling cycles). Similar to the float type liquid level switch, the float type liquid level transmitter is prone to mechanical jamming failure, and the calibration of the transmitter is complicated, which can only be calibrated by irrigation, with large system error [2]. In recent years, the application of guided wave radar level gauge has gradually increased. The guided wave radar level gauge is based upon the technology of TDR (Time Domain Reflectometry). TDR utilizes pulses of electromagnetic energy transmitted downward along the guided wave rod. When encountering a liquid surface with a larger dielectric constant than the previous conductive medium (air or evaporation gas), the pulse wave will be reflected. The transmission time t of the pulse wave is calculated by using the ultra-high speed timing circuit, thus the transmission distance s = vt of the electromagnetic pulse wave is calculated, i.e. The distance between the emitting device and the surface of the measured medium is proportional to the propagation time of the pulse between them, and the liquid level height is calculated [3]. Advantages and characteristics of guided wave radar level gauge: guided wave radar level gauge measurement is not affected by medium density, conductivity and temperature, and is suitable for measurement under high temperature high pressure conditions [4]. For medium occasions with obvious volatile gas, foam, liquid level fluctuation, wall hanging and scaling, bubbling or boiling, ultra-low liquid level, dielectric constant or specific gravity change, it can be effectively measured. There are no moving parts and no need to recalibrate, thus minimizing maintenance work. The measurement of guided wave radar level gauge is less affected by medium changes, pressure changes, temperature changes, steam, foam, etc. For saturated steam under high temperature high pressure, guided wave radar level gauge with dynamic steam compensation function can be selected (Fig. 4). Through comparison, displacer liquid level transmitter has no advantages in measurement accuracy and price. Replacing level switch with level transmitter is mainly to realize the protection function of the system, which requires higher accuracy. Deaerator, high and low pressure heater have high pressure and temperature, with pressure fluctuation. Guided wave radar level gauge measurement is less affected by pressure and temperature, convenient to install and maintain on site, and there are many mature cases of application in nuclear power plants. It is recommended that level transmitter adopt guided wave radar level gauge scheme. 3.3 Improved Scheme Taking Low pressure heater system (ABP) as an example, this paper gives the suggested optimal configuration scheme of liquid level meter as shown in Table 3: (SN means level switch, MN means level transmitter).

712

H.-Y. Fan et al.

Fig. 4. Guided wave radar level gauge measurement principle

Table 3. Optimal configuration scheme of ABP system liquid level instrument Measured object

Instrument function

Optimize pre-instrument configuration

Optimized instrument configuration

ABP level L

Alarm only

Two SNs

ABP level H

The liquid level is not high, so it is allowed to be put into operation with low addition

Two SNs

ABP level HH

Protect and open emergency Drain Valve

Two SNs

ABP level HHH

Isolate a row of low-pressure and Bled Steam anti-countercurrent protection (anti-turbine water inflow)

Two SNs

A total of 3 guided wave radar level meters are set up These 3 MNs are used for alarm and protection of each level, and these 3 MNs are used for adjusting normal drain valve and emergency drain valve

ABP level transmitter

Adjust normal and emergency Drain Valve

One displacer transmitter

Improvement and Research on the Level Measurement

713

As can be seen from the above instrument optimization configuration scheme, all liquid level switches in Low Pressure Heater are cancelled and replaced by 3 guided wave radar liquid level meters. When the transmitters are free from failure, the output is 3 to take the next largest value. When one transmitter fails, the output is the high value of the normal two transmitters. When two transmitters fail, the output is a normal signal of one transmitter. When all three transmitters fail, the output maintains the last effective value, and the module shall output the corresponding fault signal. The pre-improvement logic and the improved logic of ABP system liquid level control are shown in Fig. 5 and 6 respectively.

Fig. 5. Pre-improvement logic of ABP system liquid level control

From the perspective of cost control, the optimized level measurement instruments, liquid level test box and cables are greatly reduced, and a single unit can save about 2.05 million yuan in purchase cost (Table 4).

714

H.-Y. Fan et al.

Fig. 6. Improved logic of ABP system liquid level control

Table 4. Optimized cost control of high temperature high pressure heaters level measurement in Conventional Island System

Category

Pre-improvement (number) Improved (number)

ADG/AHP/ABP/GSS Instrument 92 SNs, 21 MNs (displacer 32 MNs (guided wave radar or differential) level gauge) Test box

13

0

Cable

178

34

4 Conclusions Through the optimization analysis of ADG - Deaerator, AHP-High Pressure Feedwater Heater, ABP-Low Pressure Feedwater Heater,GSS-Moisture Separator Reheater level measurement scheme of high temperature in Conventional Island, Nuclear Power Plant, This paper puts forward the proposed optimization scheme of Conventional Island’s high temperature high pressure heater level measurement, The optimization scheme greatly reduces the failure rate of level measurement instruments, provides the accuracy and reliability of level measurement, and ensures the safety of unit operation. At the same time, the level measurement optimization scheme proposed in this paper greatly reduces the construction cost of the unit and will certainly be widely used.

Improvement and Research on the Level Measurement

715

References 1. NB/T 25039-2014: Recommended practices for the prevention of water damage to steam turbines used for light water nuclear power plant (2014) 2. Shao, W.: Application and Exploration of the Level Instruments in Fuqing Nuclear Power Plant (2014) 3. Hu, X.-P.: Feasibility of the renovation for 2MX2AHP high charging level measurement. J. Shanghai Electric Technol. (2016) 4. Zhang, L., Li, D.-Y.: Application and improvement of guided wave radar level meter in Fuqing Nuclear Power Plant. Process Automation Instrumentation (2019)

Qualification Test Research on Level Transmitter Equipment for Diesel Engine Lubricating Oil System Jing-Yuan Yang1 , Gang Jin1(B) , Qi Wu1 , and Li-Qin Zhang2 1 Nuclear and Radiation Safety Center, Beijing, China

[email protected] 2 China Nuclear Power Research Institute Co., Ltd., Beijing, China

Abstract. The number of operating units of nuclear power plants in china has gradually increased, but foreign nuclear equipment suppliers have gradually decreased. Commodity grade item assessment has played a very good role in the procurement of unique spare parts and strengthening the level of equipment quality control. In order to verify that the equipment can complete its predetermined functions with the specified technical performance under the operating conditions and environmental conditions specified on the site, the identification test of the equipment is an important part of the commodity grade dedication. In this paper, the qualification test of the level transmitter used in the 1E diesel engine lubricating oil system of the second-generation improved nuclear power plant is studied. This paper analyzed the versatility and differentiation requirements in IEEE 323, RCC-E, KTA3505 related equipment qualification standards, introduces the test content and results, and provides technical reference for the applicability of commodity grade dedication. Keywords: Commodity grade dedication · Equipment identification · Level transmitter

1 Introduction HAF102 and the United States Code of Federal Regulations 10CFR50.49 both clearly require the qualification appraisal of items important to safety in nuclear power plants [1, 2]. This is to verify that the device can perform safety functions under the environmental conditions when it is needed during the entire lifetime of the device. The definition of equipment qualification in IEEE Std.323 is “to produce and maintain proof that the equipment can perform functions in accordance with system performance requirements under normal and abnormal environmental conditions and design basis accidents” [3]. Equipment identification is a process of generating evidence. Equipment qualification can be carried out using tests, analysis calculations, operating experience methods or a combination of these three methods. It is a means of design verification, and its purpose is to prove the equipment. It can perform its safety functions under the environmental conditions that may operate during its lifetime [4, 5]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 716–723, 2021. https://doi.org/10.1007/978-981-16-3456-7_72

Qualification Test Research on Level Transmitter Equipment

717

According to the requirements of the “Civil Nuclear Safety Equipment Catalog (2016) Revision)”, the equipment in the “Catalog” in the emergency diesel generator set should be purchased from the certificate holder in principle. If it is not purchased from a certificate-holding unit, it shall be purchased by a complete set of equipment supplier with the qualification to design and manufacture emergency diesel generator sets. The supplier appraised the equipment and is generally responsible for the quality. The Beijing Branch of China General Nuclear Power Research Institute Co., Ltd. has the qualification of a complete set of diesel generators, and it is responsible for equipment identification and related work to meet regulatory requirements.

2 Items and Requirements for Equipment Qualification Ling Ao Nuclear Power Station is a second-generation improved power station. The design and construction of the entire power station adopts the French RCC series. Therefore, its electrical instrumentation and control equipment should first meet the “RCC-E French Nuclear Island Electrical Equipment Design and Construction Rules”. Requirements. Since the liquid level transmitter is supplied by a German manufacturer, the identification of the equipment needs to meet the relevant standards of France, Germany and China. Through the analysis of the three standards of IEEE Std 323 nuclear power plant class 1E equipment quality appraisal, RCC-E French nuclear island electrical equipment design and construction rules, and Germany KTA3505 safety-related measurement sensors, test instruments and control systems type testing three standards, compare them Based on the difference, the qualification requirements and criteria for the level transmitter for the lubricating oil system of the 1E diesel engine of the nuclear power plant are obtained. 2.1 IEEE Std 323 Qualification Requirements The operating conditions that should be considered in the equipment qualification proposed by IEEE323 include: normal and abnormal operating conditions and design basis accident conditions. Normal and abnormal operating conditions that should normally be considered include at least the following items: ambient temperature and pressure, relative humidity, irradiation level, ambient vibration level, operating baseline earthquake (OBE), electrical load and input and output signal ratings and Operating limits; freezing, chemical spraying, etc.; EMI/RFI and power fluctuations. The operating conditions for design basis accidents that should usually be considered include: high-energy pipeline rupture; LOCA accident; main steam pipeline rupture; safe shutdown earthquake. In terms of qualification test items, the test items specified in the IEEE 323 standard include: benchmark function test under normal environmental conditions; test under extreme environmental conditions, including environmental limits (temperature, humidity, EMC) and operating limits (load); Seismic mechanical vibration test; seismic test. The certified FMI51 level transmitter is installed in the diesel engine factory building outside the containment. It belongs to a mild environment and does not withstand freezing, chemical spraying, high-energy pipeline rupture, LOCA accidents, and main

718

J.-Y. Yang et al.

steam pipeline ruptures. The main body of the device is made of stainless steel, and the head case is equipped with a liquid level transmitter. The main components have no significant aging mechanism. Therefore, according to the provisions of this standard, there is no need for an aging test to identify the life. 2.2 RCC-E Specification RCC-E pointed out that the appraisal should prove that the equipment: matches its intended use; under the specified operating conditions and use conditions, the equipment is not prone to failures that fail the preventive measures taken during the equipment design stage; it will not cause other participants to participate in safety Functional equipment fails. In order to meet the above requirements, RCC-E has stipulated 5 identification procedures in B3000 to B7000 for normal environmental conditions, K3, K2, K1, and severe accident conditions [6]. According to the installation and use environment of the certified FMI51 level transmitter, it belongs to the K3 environment (outside the containment), so the identification under normal environmental conditions and the K3 identification are required. RCC-E stipulates that the purpose of the K3 appraisal procedure is to ensure that the equipment installed outside the containment can perform its specified functions under normal environmental conditions and seismic loads as well as accident environmental conditions specifically specified for certain equipment. Appraisal tests under normal environmental conditions include: benchmark tests, tests under extreme operating conditions, durability tests or equipment aging performance tests and earthquake resistance tests. 2.3 Analysis of the Difference Between KTA3505 and Other Standards 1. Function check The RCC-E standard benchmark test includes the following test items: visual inspection, dielectric strength test, insulation resistance measurement, basic error, hysteresis and repeatability error, starting drift, change trend, output load change test, main power supply change test, Power reverse protection. In the KTA3505 standard, functional inspection includes: input signal, output load, ambient temperature, backup power supply (if any), and electrical characteristics. Temporary function test (test function monitoring during physical test) [7]. Input signal: For the level transmitter, it refers to the change of the liquid level to be measured. According to the standard of the capacitive level transmitter, 5 measuring ranges are uniformly selected within the measuring range to determine the error of the output signal, which is in the RCC-E specification The concrete manifestation of the test items of "basic error, hysteresis and repeatability error" of the benchmark test. Output load: This item is to consider that the output of the level transmitter should have a certain load capacity, which corresponds to the output load change test item in the RCC-E specification. Ambient temperature: the test should meet the requirements of the normal working environment of the level transmitter, and this requirement is reflected in the requirements of the level transmitter qualification test.

Qualification Test Research on Level Transmitter Equipment

719

Standby power supply: This level transmitter is not involved, and the nuclear power plant will consider it at the power supply end of the level transmitter; Electrical characteristics: generally refers to the dielectric strength and insulation performance of the equipment. 2. Electromagnetic compatibility test KTA3505 did not give specific test items and conditions, but proposed the following basic principles: 1) It should be proved that the test object is not affected by the electromagnetic environment. 2) There is no need to consider the combined effects of different interferences. 3) The anti-interference ability of the equipment should be considered according to the location during its operation. The minimum required interference test parameters should be the parameters specified in the general EMC standards. Regarding the electromagnetic compatibility immunity of industrial environments, refer to DIN EN 61000-6-2 Industrial environment immunity. 4) Generally, it should be proved that the interference radiation emitted by the test object does not exceed the limit specified in the general EMC standard. For the emitted interference radiation, refer to DIN EN 61000-6-4. For this level transmitter, which is installed on a diesel engine, its power is small and there is no sensitive instrument equipment nearby, this item is not applicable. 3. Temporary function test (test function monitoring during physical test) Temporary functional test (the process of physical testing with an input value at a specific waiting point and only under one operating mode of the test object. That is, the test during the corresponding test. In the environmental test of the level transmitter, A temporary functional test is adopted for testing, not as a separate test project. 4. Climate test In EJ/T 1197 method two: the thermal aging test conditions are as follows: • • • •

High temperature test (70 °C, 96 h) Low temperature test (−25 °C, 96 h) Rapid temperature change test (−25 °C, 70 °C, 5 cycles) Alternating damp heat test (25 °C– 55 °C, 95%RH; 2 damp heat cycles, each cycle 24 h, including test preparation, cumulative about 52 h)

The selection of test conditions given by KTA3505 first meets the requirements of the equipment procurement technical specifications. If the procurement specifications do not specify values otherwise, the versatility is considered and recommended values are given. The dry cold and dry heat test time recommended by KTA3505 is not as severe as that specified in EJ/T1197, but KTA3505 also recommends constant damp heat and alternating damp heat. The thermal cycle test is similar to the long-term recommended in the RCC-E series of standard specifications. Operation (operation aging) test, the test conditions are slightly different.

720

J.-Y. Yang et al.

5. Mechanical performance test KTA3505 gives the recommended seismic test conditions, which are completed by means of sinusoidal mechanical vibration, within the seismic frequency range of 5 to 35 Hz, with an acceleration of 1.5 g and a scanning rate of 1 oct/min, running for 1 cycle, and it is approved to withstand Simulated earthquake test. This test method is not recommended internationally and domestically. There are complete laws and standards for seismic testing in China, but this method is not included. In the frequency range of 5–100Hz, KTA3505 proposed a sinusoidal vibration test with an acceleration of 5g and a scanning rate of 10 oct/min. The test that runs for 1 cycle to simulate the impact of an aircraft is worthy of domestic reference. The mechanical shock test simulates transportation conditions and belongs to the type test requirements for general equipment, and is not a necessary test item for the 1E qualification test. In summary, the test conditions are quite different. KTA3505 lacks the domestically recommended vibration (aging) test before the seismic test, and the three mechanical performance tests it proposes are relatively easy to implement in China. 6. Irradiation test under normal operating conditions The level transmitter is installed outside the containment and is not subjected to nuclear radiation during operation. The radiation test does not involve this test requirement. 7. Design basis accident test The design basis accident test is what we often refer to as the LOCA test. The level transmitter is installed outside the containment and does not involve this test requirement.

3 Qualification Requirements The FMI51 level transmitter is installed in the diesel engine workshop outside the containment, and the site is not exposed to irradiation and LOCA accident conditions. The standard system used in the design and construction of the entire Ling Ao Phase II power station is the French RCC series. Therefore, the proposed FMI51 liquid level transmitter should first meet the requirements of RCC-E "French Nuclear Island Electrical Equipment Design and Construction Rules". Quality appraisal should be carried out in accordance with the 1E-level K3 appraisal procedure stipulated by RCC-E. The appraisal principles, sequences and methods stipulated in the IEEE 323 standard are basically consistent with the RCC-E K3 appraisal procedure, so it meets the RCC-E K3 appraisal procedure That basically meets the IEEE 323 standard. At the same time, the emergency diesel unit of Ling Ao Phase II Unit 3 is manufactured by MTU of Germany. The quality appraisal of the FMI51 liquid level transmitter used in its lubricating oil system should in principle also comply with the “safety related measurement” formulated by the KTA3505 German Nuclear Safety Commission. “Type test of sensors and test instruments and control systems” standards. The appraisal of FMI51 equipment is in accordance with RCC-E 2002 Design and Construction Rules for Nuclear Island Electrical Equipment of PWR Nuclear Power Plants, “GB/T 12727–2002 Quality Appraisal of Electrical Equipment for Nuclear Power Plant Safety System”, “Quality of EJ/T1197 Nuclear Power Plant Safety Grade Electrical Equipment” Qualification Test Methods

Qualification Test Research on Level Transmitter Equipment

721

and Environmental Conditions”, HAF-J 0053 Nuclear Equipment Seismic Qualification Test Guidelines and other international and domestic nuclear power plant general electrical equipment qualification requirements; in terms of environmental testing and electromagnetic compatibility test methods and conditions, it has maintained the same level as the national (GB) and international (IEC) standards; at the same time, it also meets the German KTA3505 “safety-related measurement sensors and test instruments and control system type test” standard requirements [8, 9]. 3.1 Test Sample The models of the equipment supplied are all FMI51-A1FGGJA1Y1D, so two level transmitter are selected for this test, and the two samples are exactly the same. For benchmark tests, tests under extreme environmental conditions, tests for evaluating equipment performance versus time, and seismic tests, two samples are carried out simultaneously. 3.2 Test Conditions When the certified equipment is used in the field, the FMI51 level transmitter measures the oil level in the fuel tank and converts it into a 4–20 mA current signal through the change of capacitance. Equipment qualification test, in order to simulate the on-site use of the level transmitter, a lubricating oil tank was specially produced for integrated test testing. During the test, install the level transmitter on the lubricating oil tank, calibrate the level transmitter, pour lubricating oil into the tank to reach the desired position, and connect a high-precision ammeter in series in the circuit to measure the current output. 3.3 Test Equipment Common test instruments for qualification test mainly include: process calibrator, multimeter, DC power supply, safety tester, DC resistor, etc. In addition, there are signal generators, antennas, test systems, high and low temperature humidity test chambers, drop tables, and seismic tests required by professional testing institutions for electromagnetic compatibility tests, environmental temperature impact tests, and tests that evaluate equipment performance over time. 3.4 Test Implementation and Results 1. Benchmark test The benchmark test is the measurement of functional characteristics under normal atmospheric conditions. Among them, the basic electrical characteristic test includes dielectric strength test and insulation resistance measurement, and the basic functional characteristic test includes basic error, hysteresis, repeatability error, initial drift and other performance tests. This part of the test data is to confirm that the performance of each level transmitter is normal before the qualification test officially starts, and is used as the benchmark parameter for the functional performance inspection of the level transmitter after each qualification test.

722

J.-Y. Yang et al.

2. Output load change test When inputting the signal at 10%, 50% and 90% to the level transmitter in turn, adjust the load resistance of the level transmitter to increase from 0  to 400 . As a result, it is found that the level transmitter is not sensitive to changes in the load within the test range. 3. Main power supply change test The instrument voltage changes within the range of −20% to +30% of its rated voltage, and the maximum power supply voltage is reversely applied for 1 min. It is found that the level transmitter has a protective effect on the reverse power supply and is not sensitive to power changes within the test range. 4. Electromagnetic compatibility test The level transmitter electromagnetic compatibility test includes the following eight tests: radio frequency electromagnetic field radiation immunity test, radio frequency field induced conduction disturbance immunity test, electrical fast transient pulse group immunity test, surge (shock wave) immunity test, power frequency magnetic field immunity test, pulse magnetic field immunity test, electrostatic discharge immunity test. After the test, the appearance of the level transmitter was good. The monitoring results during the test show that the output signal value of the level transmitter does not change significantly during the electromagnetic disturbance process, and it does not exceed 2/5 (0.4%) of the basic error limit, which meets the requirements of the corresponding acceptance criteria. 5. Free drop test After the liquid level transmitter has undergone 4 consecutive free drop tests with a height of 250mm, the test results are normal. 6. Equipment aging performance test The aging performance test items of the level transmitter include high temperature test, low temperature test, rapid temperature change test, damp heat cycle test, operational aging test, and vibration aging test, all of which have passed the corresponding tests. 7. Tests under accident and post-accident environmental conditions The earthquake resistance test selected the floor spectrum of the diesel engine installed with 2 times the level transmitter for the test. During the earthquake resistance test, the output signal of the level transmitter was monitored online. During the earthquake, there was no abnormal data display phenomenon such as signal disappearance or garbled code in the output of the level transmitter. After the seismic test process, the level transmitter was tested for the output signal error under the input range (45%) during normal use. The test result showed that the maximum output signal error met the requirements of the basic error. After the completion of all the qualification tests, the level transmitter was tested for basic error, hysteresis and repeatability error, and the basic electrical characteristics were tested. The test results showed that the functional performance and basic electrical characteristics of the level transmitter meet the requirements of the corresponding acceptance criteria.

Qualification Test Research on Level Transmitter Equipment

723

4 Conclusion This article compares and analyzes the versatility and differentiation requirements in the equipment qualification standards of IEEE 323, RCC-E, and KTA3505. Based on the on-site environment conditions and functional requirements, this article discusses the compliance of the appraisal test items with regulatory standards and on-site environment, determines the appraisal requirements, items and criteria for the level gauge, and introduces the test implementation and test results. This article discusses the compliance of the appraisal test items with the regulatory standards and the on-site environment based on the on-site environmental conditions and functional requirements. It determines the appraisal requirements, items and criteria for the level gauge, and introduces the test implementation and test results. This article provides technical reference for subsequent nuclear power owners in the identification of level transmitter equipment used in emergency diesel engine lubricating oil system and the commodity grade dedication.

References 1. HAD102/13 Nuclear power plant emergency power system (1996) 2. HAD102/14 Nuclear power plant safety related instrumentation and control system (1996) 3. IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, pp. 323–2003. IEEE, January 2004 4. HAF001 People’s Republic of China Civil Nuclear Facilities Safety Supervision and Administration Regulations (1993) 5. HAF003 Nuclear power plant quality assurance safety regulations (1991) 6. RCC-E Code for the Design and Construction of Electrical Equipment on the French Nuclear Islands 7. KTA 3505 Type Testing of Measuring Sensors and Transducers of the Safety-Related Instrumentation and Control System (2004) 8. GB/T 12727 Nuclear power plant electrical equipment of the safety system quality qualification (2002) 9. EJ/T1197 Testing method and environment condition for qualification of electrical equipment of the safety system in nuclear power plants (2007)

Study on the Load Following Control of SMR with Flexible Load Ming-Ming Liu1 , Ao-Di Sun2 , Lei-Lei Qiu2 , Ru Zhang2 , and Xin-Yu Wei2(B) 1 Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power

Institute of China, Chengdu 610041, China 2 Key Laboratory of Advanced Nuclear Energy and Technology, and Shaanxi Engineering

Research Center of Advanced Nuclear Energy, Xi’an Jiaotong University, Xi’an 710049, China [email protected]

Abstract. The load following requirement will be increased greatly while the Small Modular Reactor (SMR) is used for isolated island operation mode. In order to improve the load following ability of the system, the flexible load (FL) is presented in this study to follow the electricity load during load follow. The definition of FL is a type of power consuming system that can change the needed power discretionary. For example, the hydrogen manufacture plant, the desalination facility, the district heating system, and other industrial process heat supply system are all FLs. In order to analyze the dynamic characters of the system, pressurized water reactor (PWR) type SMR (comprised with reactor core and once-through steam generator), balance of plant (BOP), and FL are modeled first. Based on these dynamic models, a SMR-FL dynamic simulation program is built in MATLAB/Simulink environment. According to different system characteristics, two types of FL are considered, and the related load allocation control systems are designed. A typical electricity load is used to verify the designed control systems for the two types of FL. The simulation results show that the designed control systems can achieve load following by adjusting the power consuming of FL and maintaining a constant or moderate changing output of SMR. Obviously, this character can make the SMR-FL system more flexible and efficiency. Keywords: Small Modular Reactor (SMR) · Load following · Flexible load (FL) · Control · Simulation

1 Introduction With the lower cost, shorter construction period, and inherent safety, the small modular reactor (SMR) is considered as one of the most promising types of nuclear reactor by the International Atomic Energy Agency (IAEA) [1]. According to Chinese Energy technology innovation “13th Five-Year” plan, the SMR is also the key research and development technical direction in the next develop period. [2].

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 724–737, 2021. https://doi.org/10.1007/978-981-16-3456-7_73

Study on the Load Following Control of SMR

725

In the electricity consuming scenarios of micro grid, the load following is in great demand for SMR, such as islands, remote areas, and large-scale ships. But in fact, the load following process leads to the reactor power adjustment frequently. And this will be bad for the nuclear fuel assemblies, the control rods, and the control rod drive mechanism [3]. From an economic point of view, SMR is a low marginal cost investment, so the frequent power changing is inefficient [4, 5]. Based on the above facts, a type of power consuming system named flexible load (FL) is adopted to compensate the variable electricity load during load following. The definition of FL is the flexible industrial process, such as desalination and hydrogen manufacturing, whose products can be stored and/or throughputs can be changed frequently by steam load; for another, the district heating, whose load should be maintained around a stationary value, but could be fluctuated within a certain range. [6]. Because the redundant power generated by SMR can be use in the FL system, the SMR-FL system can improve the load following ability and the system efficiency simultaneously. But the added FL makes the whole system more complexity, and brings some difficulties in the system control. Thereafter, this study focuses on the control system design of the SMR-FL system. Based on the designed control system in this study, the electricity load is allocated by the control system, and is undertaken by the SMR and the FL respectively.

2 Dynamic Model Figure 1 shows the structure diagram of SMR-FL. The SMR-FL contains four main parts: the reactor core, the once-through steam generator (OTSG), the balance of plant (BOP), and the FL. The nuclear steam supply system (NSSS), which is constituted with reactor core, OTSG, and the primary pipes, generate steam for BOP and FL. The generated steam is allocated to BOP to generate electricity, and to FL to produce water or hydrogen or heat respectively. The three valves in Fig. 1 is used to fulfill the load allocation. Valve 1 controls the total steam generated from NSSS, Valve 2 controls the steam output to BOP for electricity production, Valve 3 controls the steam output to FL for power consuming.

Valve 1

Valve 2 BOP

Electricity

OTSG Core Valve 3

Flexible Load

Fig. 1. The SMR-FL structure diagram

Hydrogen/ Water/Heat

726

M.-M. Liu et al.

For the control system design, it is necessary to build the dynamic model of SMR-FL, which is derivate as below. (1) Reactor core dynamic model The reactor core mode contains the neutron dynamics model and heat transfer model. The neutron dynamics model uses the one-dimension nodal model with feedback [7, 8]. Figure 2 shows the reactor core node partition in the axial direction. According this node partition, Eq. 1 describes the reactor core dynamic model in this study. Tc,out

Z

Φ1,2

Φ2,1

Node 1

Φ3,2

Node 2

Φ2,3 Φn,n-1

Φn-1,n

Node n

0

Tc,in

Fig. 2. The reactor core node partition in the axial direction

⎧ 6  ⎪ βk ⎪ ⎪ d δNi = wi,i−1 δNi−1 + wi,i+1 δNi+1 + ( ρ0i − β − wii )δNi + ⎪ δCk,i + ⎪ ⎪ dt    i i i ⎪ ⎪ k=1 ⎪ ⎪ ⎪ ⎪ 1 ⎪ ⎪ (δρri + αfi δTfi + αci δTci ) ⎪ ⎪ i ⎪ ⎨ d δCk,i (1) = λk (δNi − δCk,i ); k = 1, 2, ..., 6 ⎪ ⎪ dt ⎪ ⎪ ⎪ ⎪ d δTfi fP0i i i ⎪ ⎪ = δNi − δTfi + δTci ⎪ ⎪ ⎪ dt μfi μfi μfi ⎪ ⎪ ⎪ ⎪ (1 − f )P0i i i + 2Mi 2Mi ⎪ d δTci ⎪ ⎩ = δNi + δTfi + (− )δTci + δTcin dt μci μci μci μci

Study on the Load Following Control of SMR

727

where N is the neutron density, C is the delayed neutron precursor concentration, T is the temperature, ρ is the reactivity, β is the fraction of the delayed fission neutrons, w is the coupling coefficient,  is the average neutron generation time, α is the reactivity coefficients, λ is the decay constant, P is the thermal reactor power, f is the fraction of the core power generated in the fuel,  is the overall heat transfer coefficient between fuel and coolant, M is heat capacity of the coolant mass flowrate, μ is the total heat capacity. And the subscript i, 0, f , c, in, k, r, m denote the i th node, the rated value, the fuel, the coolant, the inlet, the k th delayed neutron group, and the control rod, respectively. (2) OTSG dynamic model The steam generator employed in SMR presented in this study is OTSG. Figure 3 shows the OTSG control volume partition. The OTSG are divided into subcooled section, two-phase section, and superheated section, according the water status in the second side in axial direction, and primary side, tube wall, and secondary side in radial direction.

Fig. 3. The division scheme of the OTSG heat transfer sections

In every control volume, T is the temperature, P is the pressure, L is the axial position, ¯ is the average heat quantity, ρ¯ is the average density, T¯ is the W is the mass flowrate, Q average temperature. The subscript x = p, s, w denotes the primary side, the secondary side, and the wall respectively. The subscript i = 0, 1, 2 denotes the subcooled section, the two-phase section, and the superheated section. The subscript j = 0, · · · N denotes the node number in every heat transfer section.

728

M.-M. Liu et al.

The movable boundary theory is used here. According the control volume division, the mass conservation, energy conservation and momentum conservation equations of every control volume are shown as Eq. 2–4 [9]. 

Lx,i+1,j+1

dLx,i+1,j+1 dLx,i,j − ρx,i,j Ax − Wx,i+1,j+1 + Wx,i,j dt dt Lx,i,j  +Ax Lx,i+1,j+1 − Lx,i,j x,i,j (2)



   Lx,i+1,j+1 px,i+1,j+1 dLx,i+1,j+1 p d ρx Ax h − dz = ρx,i+1,j+1 Ax hx,i+1,j+1 − dt Lx,i,j ρ x ρx,i+1,j+1 dt

 px,i,j dLx,i,j ¯ x,i,j −ρx,i,j Ax hx,i,j − − Wx,i+1,j+1 hx,i+1,j+1 + Wx,i,j hx,i,j + Q ρx,i,j dt (3)

D  2 2 + δx Lx,i+1,j+1 − Lx,i,j − ρx,i,j νx,i,j px,i+1,j+1 = px,i,j − ρx,i+1,j+1 νx,i+1,j+1 Ax ρ¯x g  + Vx,i+1,j+1 − Vx,i,j Ax (4)

d dt

ρx Ax dz = ρx,i+1,j+1 Ax

(3) BOP dynamic model The BOP is simplified to a steam turbine to generate electricity power from steam. Therefore, BOP is modeled by a simplified single cylinder model, which can indicate the energy transfer process from steam to electricity power as Eq. 5–8 [6]. S0 = f (pin , hin )

(5)

hout = f (pout , S0 )

(6)

 hout = hin − η hin − hout

(7)

P = Win (hin − hout )

(8)

where S0 is the steam specific entropy, pin is the inlet pressure, pout is the outlet  pressure, hin is the inlet specific enthalpy, hout is the real outlet specific enthalpy, hout is the ideal outlet specific enthalpy, P is the generated electricity power, Win is the mass flowrate.

Study on the Load Following Control of SMR

729

(4) FL dynamic model The cold trap condition is assumed as saturated water at 0.1 MPa. According this assumption, the FL dynamic model is built as the energy transfer relationship in the FL as Eq. 9 [6].  (9) Qfl = Wfl hfl − hct where Qfl is the output thermal energy from NSSS to the FL, Wfl is the steam mass flowrate to the FL, hfl is the steam specific enthalpy at the inlet of the FL, hct is the saturated water specific enthalpy at the outlet of the FL. According the different usage of FL, two types of FL are abstracted in this study. (a) Wide range FL, whose steam consuming can be changed in a wide range. Desalination facility and hydrogen manufacturing system are wide range FL. (b) Small range FL, whose steam consuming only can be varied in a small range, but the variation can be fluctuated. The district heating. is small range FL.

3 The Control System Design The ideal operation program (IOP) is used in SMR [10]. The IOP operation schema means that the reactor core average temperature and the steam pressure are all maintained constant during reactor power variation. The deviation of the measured reactor core average temperature and its setpoint is used to control the reactor powe. The deviation of the measured steam pressure and its setpoint is used to control the feedwater flowrate. When the wide range FL uses in SMR-FL, the electricity load can be compensated completely and during load following. As a result, the reactor power is maintained constant at the same time. In this condition, the steam flowrate from Valve 1 (WNSSS ) should maintain unchanged because of the constant reactor power, the steam flowrate to Valve 2 (Wtur ) should follow the electricity load. And Wtur is controlled by a PID controller according the deviation of the BOP admission pressure and its setpoint. The steam flowrate to Valve 3 (Wfl ) should be adjusted by Valve3 to fulfill the former two goals. The control logic schema is shown as Fig. 4.

pr PID

Wtur í +

pcal

Wfl

WNSSS

Fig. 4. The control logic schema of wide range FL

730

M.-M. Liu et al.

When the small range FL uses, the electricity load can be compensated partly by fluctuating FL in a certain small range during load following. As a result, the rector power changed moderately at the same time. In this condition, Wtur , which is controlled by a PID controller according the deviation of the BOP admission pressure and its setpoint, should follow the electricity load. Wfl should maintain in a small range. As a result, WNSSS should be changed only when the steam flowrate to Valve 3 exceed its limits. The control logic schema is shown as Fig. 5. pr PID

Wtur + +

pcal

WNSSS

Wfl

Fig. 5. The control logic schema of small range FL

4 Results and Discussion A SMR-FL simulation program is built according the presented dynamic model in Sect. 2 in MATLAB/Simulink environment. To verify the control systems for wide range and small range FL designed in Sect. 3, a typical electricity load is used as the load following target as shown in Fig. 6.

Fig. 6. The typical electricity load

Study on the Load Following Control of SMR

731

The SMR-FL simulation results with wide range FL is shown in Fig. 7–9.

Fig. 7. The output power, (a) electricity power, (b) reactor power, (c) wide range FL power

Comparing Fig. 6 and Fig. 7(a), it shows the BOP power can follow the electricity load completely. The reactor core power fluctuates around 100% during the transient as Fig. 7(b). The wide range FL power load can compensate the variation of the electricity power to maintain a small fluctuation of reactor core power. Figure 8 shows the steam

732

M.-M. Liu et al.

Fig. 8. The steam mass flowrate, (a) to BOP, (b) from NSSS, (c) to the wide range FL

mass flowrate in the system. The steam from NSSS is separated into two parts, one flows to BOP to generate electricity, and the other flows to the wide range FL. It can be seen that the second part steam compensate the variation of the first part to maintain the total steam mass flowrate around a constant value. In Fig. 9, the steam pressures at the outlet of NSSS and at the inlet of the BOP all fluctuate around its reference value, which means the control system works well.

Study on the Load Following Control of SMR

733

Fig. 9. The steam pressure, (a) at the outlet of NSSS, (b) at the inlet of the BOP

The SMR-FL simulation results with wide range FL indicated that the wide range FL can compensate the variation of the electricity power completely by adjusting the steam mass flowrate to the FL. And the reactor power is maintained almost constant. The SMR-FL simulation results with small range FL is shown in Fig. 10–12. Comparing Fig. 6 and Fig. 10(a), It shows the BOP power can follow the electricity load completely. The reactor power has a similar trend with the BOP power but has a higher power level in Fig. 10(b), which is because the BOP has a lower efficiency at the non-rated power. The small range FL power fluctuates around its rated value to maintain the reactor core power changing moderately, and maintain an almost stable heat supply. Figure 11 shows the steam mass flowrate in the system. The steam from NSSS is separated into two parts, one flows to the BOP to generate electricity, and the other flows to the FL. It can be seen that the second part steam fluctuates around its rated value to maintain the steam mass flowrate from NSSS changing moderately. In Fig. 12, the steam pressure at the outlet of NSSS and at the inlet of the BOP all fluctuate around its reference value, which means the control system works well.

734

M.-M. Liu et al.

Fig. 10. The output power, (a) electricity power, (b) reactor power, (c) small range FL power

The SMR-FL simulation results with small range FL indicated that the small range FL can compensate the electricity load variation partly by adjusting the steam mass flowrate to the FL. As a result, the reactor power can be maintained as a moderate variation during the transient, which alleviates the drastic change of reactor thermal parameters.

Study on the Load Following Control of SMR

Fig. 11. The steam mass flowrate, (a) to BOP, (b) from NSSS, (c) to small range FL

735

736

M.-M. Liu et al.

Fig. 12. The steam pressure, (a) at the outlet of NSSS, (b) at the inlet of the BOP

5 Conclusion The load following control system design of SMR-FL is studied. Two types of FL named wide range FL and small range FL are presented, modeled and simulated. The related control systems are designed respectively. Based on the established the simulation program of SMR-FL, a typical electricity load is used as load following target to verify the designed control systems. The wide range FL simulation results show that the electricity load variation can be compensated completely by the wide range FL, and the reactor power is almost maintained constant during load following. As for the small range FL, the simulated results show that the electricity load variation needs be compensated by the small range FL and the reactor power simultaneously. During load following, the small range FL power fluctuates around a certain range, while the reactor power variation is moderate. The designed control systems are verified by these results, and the load following method for SMR-FL by the wide rage and small range FL is also verified. Acknowledgement. This work is supported by the National Natural Science Foundation of China (11875218) and Fundamental Research Funds for the Central Universities (xjh012020032).

Study on the Load Following Control of SMR

737

References 1. IAEA: Advances in Small Modular Reactor Technology Developments. IAEA, Vienna (2016) 2. National Development and Reform Commission, National Energy Administration: Chinese Energy technology innovation “13th Five-Year” plan (2016) 3. IAEA: Instrumentation and Control Systems for Advanced Small Modular Reactors. IAEA, Vienna (2017) 4. Bragg-Sitton, S.M., et al.: Nuclear-Renewable Hybrid Energy Systems (2016) 5. Technology Development Program Plan, INL/EXT-16–38165, Idaho National Laboratory (2016) 6. Ma, Q., et al.: Load following of SMR based on a flexible load. Energy 183, 733–746 (2019) 7. Wei, X., et al.: A master-slave control strategy of the multi-modular SMR. Ann. Nucl. Energy 126, 269–280 (2019) 8. Wang, P., et al.: Nodal dynamics modeling of AP1000 reactor for control system design and simulation. Ann. Nucl. Energy 62, 208–223 (2013) 9. Wan, J., et al.: Conventional controller design for the reactor power control system of advanced small pressurized water reactor. Nucl. Technol. 198(1), 26–42 (2017) 10. Peng, M., Du, Z.: Research on ideal steady-state programming of marine PWR nuclear power plant. Chin. J. Nucl. Sci. Eng. 21(4), 304–310 (2001)

The Verification for RRC System of Nuclear Power Plant Based on Digital Twins Technologies Jia-Lin Ping(B) , Li-Ming Zhang, Can Zhou, Chun-Bing Wang, and Chao Lu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172, Guangdong, China [email protected]

Abstract. This paper takes verification of the reactor RRC system of a pressurized water reactor nuclear power plant as the research object. This paper determines the modelling scope of the RRC system according to the characteristics of the RRC system, modeled its process systems and control systems, and eventually constructed the digital Twins system of the RRC system, which realizes the dynamic closed-loop verification of the RRC system. The paper gives examples of implementation for typical accidents. The research results eventually achieve the purpose of accurate verification of the RRC system, and improve the safety and economy level of nuclear power plants, and play an important role in improving the safety and economy level of nuclear power plant operation. Keywords: Reactor RRC system · Digital Twins modelling · Dynamic verification

1 Introduction The operation safety control of nuclear power plants is very important because of the risk of radiation leakage caused by improper control due to complex systems and numerous equipment. The digital instrument and control system DCS is adopted in third-generation nuclear power units [1], which effectively improves the safety and economy of the units. Among them, the reactor control system RRC of nuclear power plants [2], as the core control system, plays a key role in the operation of nuclear power plants. RRC system includes reactor power regulating system, reactor average temperature regulating system, pressurizer pressure control system, etc. During normal operation and transient events, these systems need to be able to effectively control the operating state of the units according to the design criteria of nuclear power plants and adjust the main parameters of the units within the normal range, thus the process model and control model are required to have a full range and high precision. However, due to the complexity of the nuclear power plant system and the strong coupling between the control parameters of the RRC system, the butterfly effect happens easily. If there is a problem in the design of the RRC system, it is very likely that the nuclear power unit cannot operate normally or cause accidents, which will have a significant impact on the safety and economy of the nuclear power plant. Therefore, in order to ensure the © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 738–745, 2021. https://doi.org/10.1007/978-981-16-3456-7_74

The Verification for RRC System of NPP Based on Digital Twins Technologies

739

design accuracy of the RRC system, it is necessary to verify the RRC system design comprehensively. At present, there are mainly two ways to verify the design of the RRC system. The first way is static file audit and verification, but there are several problems: subsystem audit, there is a risk of unclear interface information for multi-system integrated control system; higher requirements for auditors, there is a risk of subjective cognitive omission or error; and parameters for adjusting control cannot be verified. The second way is the system software simulation calculation verification, but most of the existing research is single system verification. This paper proposes to verify the RRC system based on digital Twins technology. Digital Twins aim at entities in the physical world and build a completely consistent corresponding model in the digital world, thereby realizing the understanding, analysis and optimization of physical entities [3]. Digital Twins technology performs dynamic simulation, monitoring, analysis and control of physical entities through digital means to accurately simulate the operating state of RRC system in the actual environment, and then simulates and verifies the operation of RRC system under normal and transient conditions, and verifies that the logical actions, adjusting characteristics, system correlation and setting values of each system of RRC are correct to avoid unnecessary shutdowns and error operations. Digital Twins technology provides a feasible solution for the above problems.

2 RRC Digital Twins Technique 2.1 Digital Twins Modelling Technique Digital Twins mainly build virtual models of physical systems based on simulation platforms, such as discrete event simulation and finite element simulation, and build models based on general-purpose programming languages, simulation languages, or special simulation software. For example, in [4], the author proposed a microkernel digital Twins platform that can actively manage real-time sensor data based on a simulation database and provide support for modification and correction of simulation models. Gerardo et al. proposed a simulation-based factory digital Twins system [5], which kept the virtual factory in the same state as the real factory based on model parameter estimation technology. However, the traditional modelling and simulation technology has the defects of poor flexibility, complicated configuration and error-prone. To overcome these problems, researchers have developed a variety of digital Twins modelling languages, such as AutomationML [6], UML [7], SysML [8], and XML, of which AutomationML is the most widely used. Some research institutions have also built special modelling platforms for digital Twins to simplify the modelling process of digital Twins, taking FlexSim and Qfsm as examples [9, 10]. Based on the above platforms and modelling languages, researchers established digital Twins models for different product life cycles. For example, Kritzinger et al. designed a cloud-based digital Twins modelling architecture as a general model to guide the construction of digital Twins models. Caputo et al. built a factory digital Twins model based on Matlab to improve the overall production process design [11]. Note that conferences impose strict page limits, so it will be better for you to prepare your initial submission in the camera ready layout so that you will have a

740

J.-L. Ping et al.

good estimate for the paper length. Additionally, the effort required for final submission will be minimal. Digital Twins have been successfully applied in different product life cycles, including supply chain management, product development, equipment manufacturing and fault diagnosis. In supply chain management, processes, technologies, products and services of different organizations or companies can be represented in a virtual system to obtain an overall view of the supply chain, which greatly simplifies business processes and improves supply chain management and decision-making efficiency. In “Digital Twins shop-floor: A new shop-floor paradigm towards smart manufacturing” [12], the author proposed a digital Twins shop (DTS) model to achieve intelligent manufacturing. In the phase of product maintenance, digital Twins are used to accurately predict product failures to avoid huge losses. However, due to the complexity of the system and the level of modelling, few mature systems of digital Twins are currently used in the industry. Therefore, the application of digital Twins in industrial systems needs further research and development. 2.2 RRC Design Verification Technique At present, the verification of RRC system is mostly carried out in one way, that is, adopting the system simulation technology to construct simulation model to carry out the dynamic test and the logic preview of RRC system. For example, literature developed an RRC simulation test platform based on the reactor thermal hydraulic simulation model [13], Labview graphical virtual instrument programming language and DAQ data acquisition technology. By connecting the platform to the digital instrument control system (DCS) cabinet of the nuclear power plant, single-step and associated operation test is carried out on the actual RRC, and then the logic preview and evaluation of the RRC system are realized [14]; developed a variety of functional modules for the simulation of different functions based on the distributed parallel computing structure and modular design, thereby establishing an engineering simulator for a 1000 MW pressurized water reactor nuclear power plant, and the control system model was optimized and debugged. However, the RRC system design verification method based on simulation relies on artificially set simulation scenarios, it is difficult to cover the complete possible working conditions, having great limitation [15]. 2.3 RRC Design Verification Based on Digital Twins Different from the above verification method of RRC system based on simulation, this paper implements dynamic design verification of RRC system based on digital Twins. First, this paper builds a process system model based on the physical mechanism model and the RRC system design manual, then models the different control modules of RRC system based on the design drawings. Finally, on the basis of passing a single model test, based on the communication interface to achieve system integration and overall debugging test of the system, a digital Twins of RRC system is formed. The digital Twins system of RRC system can set a variety of events, carry out a large number of simulations, tests and verifications for the system design. It has higher flexibility and reliability.

The Verification for RRC System of NPP Based on Digital Twins Technologies

741

3 Modelling of RRC Digital Twins System The RRC system is a general term for reactor control systems of nuclear power plants. It includes multiple systems such as reactor power regulating system, reactor average temperature regulating system, and pressurizer pressure control system. It can be divided into process systems and control systems. There are near 3500 models and 7447 IO points in the RRC system model, and these models need to connect. This section models them based on the mechanism simulation model and the logical modelling of the design diagram, respectively, and couples them into a complete RRC digital Twins system, as shown in Fig. 1.

Fig. 1. Coupling configuration diagram of control model, process model, human-machine interface of RCC systems based on digital Twins

4 Verification Examples of RRC Digital Twins System In order to verify the function of the RRC digital Twins system, two typical nuclear power control events are designed in this section. By simulating and analyzing the state curve caused by the corresponding event on the RRC digital Twins system platform, the loopholes in the RRC system design can be effectively found. 4.1 Verifying the Trip Event During the operation of the nuclear power units, a turbine shutdown event may occur, that is, a trip event. At such times, the design criteria require that the reactor cannot be shut down due to protective actions, because once the reactor is shut down, it will cause greater economic losses. Therefore, the rapid adjustment of the RRC system is required. The reactor rod control system controls the reactor power to the final power setting value with the power setting curve, controls the average temperature of the primary loop, the pressure and water level of the regulator, and the water level of the steam generator in the normal range, and balance the thermal power of the primary and secondary loops. Thus, the normal operation of the RRC system is very important for the control of such transient operation events of the unit, and the trip event is a large transient event for the operation of the unit. It involves all the adjustment functions of the RRC system and

742

J.-L. Ping et al.

has great importance to the comprehensive verification of the control function of RRC system. Verification steps: 1) Recall full load working conditions; 2) Run for 30 s and set up steam turbine trip; 3) Observe the action conditions of the power rod group of the rod control system in accordance with the power setting curve, pressurizer pressure adjustment, pressurizer water level adjustment, steam generator water level adjustment, and bypass discharge system action [16]. It is found in the verification that the reactor trip when the unit runs for about 1 min and 10 s since the level of steam generator is low. As shown in Fig. 2 below.

Fig. 2. Trip-steam generator level and feed water flow curve

During the trip, the level of the steam generator continued to drop. There are two reasons: one is that a subtraction module of the water supply system has a negative value in the transient state of the trip. After taking the square root, the output is 0, and then taking it as the dividend, input it to the feed water regulating valve opening command, resulting in an abnormal calculation and the valve is closed; The second is to verify that the platform has added a limit to the prescribing module, so that its output is not 0. Continuing the test, still the reactor trip by steam generator low water level. It is found that the set value of the steam water is low, specifically the main steam pressure in the water supply system design is connected wrongly, and the logic diagram file is connected to the first stage pressure of the turbine. When the turbine is shut down, the pressure drops quickly, and the corrected main steam flow demand decreases, the valve set value reduces, the steam water flow does not match, and the feed water flow is insufficient, causing the reactor trip by steam generator low water level. Based on the above analysis, after the interface is modified, the verification is continued. The experiment found that the steam turbine did not jump after the engine tripped, and the stable value of the nuclear power and the final setting value were quite different. The preliminary analysis is that the flow rate of the secondary loop is small, and the bypass steam flow after the trip condition is stable is quite different from the steam flow required by the final setting value, and the power of the primary and secondary loops is not completely matched. The specific analysis should be that the modulation function of

The Verification for RRC System of NPP Based on Digital Twins Technologies

743

the bypass system and the steam flow are too small, resulting in incomplete matching of the power of the primary and secondary loops and the average temperature is too high. And because the power is in the switching range between the main regulating valve of feed water and the low-load regulating valve of feed water, the feed water valve regulation is not very stable and there is a risk of long-term operation. After modifying the setting parameters of the bypass system, the test was continued. The final power is stable near the setting value with little difference and stable load. In addition, compared with the flow before the parameter modification, no large peak appears during the modulation process, and the regulation is relatively stable, as shown in Fig. 3, which meets the design requirements.

Fig. 3. Comparison diagram of trip- bypass flow curve

4.2 Verification of Pressurizer Pressure Control The pressure control of the pressurizer is to control the pressure of the reactor coolant system. In the pressurized water reactor nuclear power unit, the pressure control of the reactor coolant system is very important. It is necessary to maintain the reactor coolant in the liquid state, and the pressure cannot be too low, otherwise the coolant will vaporize and worsen the cooling effect, resulting in the reactor core overheating accident. Also, the pressure should not be too high, otherwise the system overpressure will damage the equipment, so the pressure should be controlled within a proper range. Verifying the pressure control of the reactor coolant system is to verify whether the pressure control system can control the pressure of the reactor coolant system within the normal range under normal operating conditions, that is, transient conditions, which is of great significance to the normal operation of the unit. According to the reactor coolant system setting manual, enter the pressure to adjust the value of the PID module. The result shows that the output changes slowly, resulting in the rapid rise of the actual value of the primary loop pressure, the maximum rise to over limit, resulting in the operator’s auxiliary function action, the shutdown of the proportional heater, the opening of the spray valve, and the pressure drop. When the auxiliary function signal of the operator disappears, the proportional heater is opened, the spray valve is closed, and the pressure is increased. This reciprocation indicates that the primary loop pressure control is unstable. It is analyzed that the set pressure and the actual pressure unit are MPa. The value of the proportional coefficient calculated by PID may be set according to Bar.

744

J.-L. Ping et al.

The relationship between the units does not match, with a difference of 10 times, causing the PID regulating function does not meet the requirements. In order to verify the above analysis, the scale factor in the PID module was enlarged by 10 times and tested again. The results show that the pressure is stable (Fig. 4).

Fig. 4. Comparison diagram of pressurizer pressure regulation curve

5 Conclusions The RRC system involves a large number of systems. It is a dynamic regulating system with many system interfaces and parameter setting values. Any error will affect the normal operation of the nuclear power plant. Manual inspection of RRC system is difficult to meet the requirements of RRC system design verification due to its heavy workload and easy omission. In this regard, based on the digital Twins technology, using an advanced third generation engineering simulator platform [17], this article built the digital Twins of RRC system on the basis of the control module conversion technology and various automatic tool modelling and simulation technologies. Through the simulation and analysis of the RRC control system and its operation or transient conditions in the virtual space, as well as the comprehensive verification of the logical design and fixed value parameters of the RRC system, digital Twins of RRC system provided technical support for the RRC system design verification. The example experiment showed that the digital Twins verification platform of the RRC system could easily analyze and find various problems, ensured that the logic design of the RRC system was correct, the interface was accurate, and the setting parameters were appropriate, so as to ensure the safe and economic operation of nuclear power plants. The relevant work in this article provided a certain theoretical and technical reference for relevant scholars to carry out digital Twins theory and technology research, enterprise construction and deployment of digital Twins systems. In the follow-up work, this research will continue to study the automatic analysis and optimization method of the RRC digital Twins system in the face of dynamic conditions, to improve the autonomy and intelligence of the RRC digital Twins system in nuclear reactor control.

The Verification for RRC System of NPP Based on Digital Twins Technologies

745

References 1. Li, Z.-J., Xu, L.J., Jiang, G.J.: Nuclear science and engineering. Chinese Nucl. Soc. Atomic Energy Press 2, 122–125 (2012) 2. Su, L.-S., et al.: 900 MW PWR nuclear power plant system and equipment, pp. 3–603. Atomic Energy Press (2005) 3. Dai, C., Zhao, G., Yu, Y.: Trend of digital product definition: from mock-up to Twins. J. Comput. Aided Des. Graph. 30(8), 1554–1562 (2018) 4. Mukherjee, T., DebRoy, T.: A digital Twins for rapid qualification of 3d printed metallic components. Appl. Mater. Today 14, 59–65 (2019) 5. Martnez, G.S., Sierla, S., Karhela, T., Vyatkin, V.: Automatic generation of a simulationbased digital Twins of an industrial process plant. In: IECON 2018-44th Annual Conference of the IEEE Industrial Electronics Society, pp. 3084–3089 (2018) 6. Gonalves, E.M.N., Freitas, A., Botelho, S.: An automationml based ontology for sensor fusion in industrial plants. Sensors 19(6) (2019) 7. Merkle, L., Segura, A.S., Grummel, J.T., Lienkamp, M.: Architecture of a digital Twins for enabling digital services for battery systems. In: IEEE International Conference on Industrial Cyber Physical Systems (ICPS), pp. 155–160 (2019) 8. Madni, A.M., Madni, C.C., Lucero, S.D.: Leveraging digital Twins technology in model-based systems engineering. Systems 7(1) (2019) 9. Lohtander, M., Ahonen, N., Lanz, M., Ratava, J., Kaakkunen, J.: Micro manufacturing unit and the corresponding 3d-model for the digital Twins. In: Proceedings of the 8th Swedish Production Symposium (SPS), vol (25), pp. 55–61 (2018) 10. Kritzinger, W., Karner, M., Traar, G., Henjes, J., Sihn, W.: Digital Twins in manufacturing: a categorical literature review and classification. IFAC-PapersOnLine 51(11), 1016–1022 (2018) 11. Guo, A., Yu, D., Hu, Y., Wang, S., An, T., Zhang, T.: Design and implementation of data collection system based on CPS model. In: International Conference on Computer Science and Mechanical Automation (CSMA), pp. 139–143 (2015) 12. Tao, F., Zhang, M.: Digital Twins shop-floor: a new shop-floor paradigm towards smart manufacturing. IEEE Access 5, 20418–20427 (2017) 13. Yang, Z.W., Huang, T., Feng, G., Luan, Z., Lin, M., Zhu, L.: Implementation of nuclear power plant simulation in start-up commissioning of reactor control system. Nucl. Power Eng. 30(S2), 49–53+59 (2009) 14. Li, Y.K., Lin, M., Yang, Y., Liu, B.: Development of a nuclear power plant simulator for design and verification of instrumentation and control systems. Nucl. Power Eng. 35(05), 148–152 (2014) 15. Hou, J.C., Dong, X., Xiong, G., Zhang, J., Tan, K.: Parallel nuclear power: intelligent technology for smart nuclear power. J. Intell. Sci. Technol. 1(2), 192–201 (2019) 16. Ping, J.-L., Wang, C.: RRC system instrument and control function design verification report, Jump No. 11, pp. 31–44 (2019) 17. Duan, Q.-Z., et al.: Atomic energy science and technology, No. 11, pp. 904–908. China Institute of Atomic Energy (2014)

Research on a Low-Latency Communication Module for the Reactor Protection System Le Li(B) , Zhi-Hui Zhang, Jian-Xin Ma, and Chao Gao China Techenergy Co., Ltd., Beijing, China [email protected]

Abstract. The response time of shutdown of a nuclear reactor is an important parameter of reactor protection systems in nuclear power plants. Furthermore, as a part of a reactor protection system, the point to point communications system mostly influence the response time of shutdown of a nuclear reactor. A new solution to optimizing the response time is introduced, where a point to point communication system is implemented by FPGA technologies. The new designed system could extremely improve the efficiency of communications, which contributes to shortening the response time of shutdown. This paper delivers not only analysis of the response time of shutdown in current systems, but also the design scheme of the FPGA-based system. In addition, the communication system based on FPGA optimizing the response time of shutdown of a nuclear reactor is proved which is applied in reactor protect systems of VVER. Keywords: Point to point communication · Reactor Protect System · Nuclear plant

1 Introduction The Reactor Protection System (RPS), a component of the safety Instrument and Control (I&C) system, is recognized as the most important safety assurance system for nuclear power plants. When its operating parameters reach the nuclear safety protection threshold, the reactor should be shut down in an emergency to void nuclear safety accidents. Since the handling of the shutdown response involves the safety of personnel, equipment, and the environment in nuclear power plants, the response time of shutdown of a nuclear reactor is required strictly [1]. The response time of shutdown of a nuclear reactor is recommended in both Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (NUREG-0800) published by the U.S. Nuclear Regulatory Commission (NRC) and Computer-based Software Important to Safety in Nuclear Power Plants (HAD102/16) published by Ministry of Ecology and Environment of China, which should usually be less than 0.2 s [2, 3]. In this case, how to reduce response time shutdown of a nuclear reactor is an important factor that should be considered in the design of a safety I&C system. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 746–756, 2021. https://doi.org/10.1007/978-981-16-3456-7_75

Research on a Low-Latency Communication Module for the RPS

747

In RPS, the response time of showdown a nuclear reactor refers to the time required from the signal collected by the sensor to the output signal of the RPS made by the showdown circuit devices, which means the signal travels through Analog Output (AI), I/O bus processing, point-to-point network communication, main processor central processing unit (CPU) calculation, Digital Output (DO). Most institutions and manufacturers reduce the response time by optimizing the selection of AI and DO modules, I/O bus ports, and CPU application algorithms [4]. However, there are few studies on improving the efficiency of network communication to optimize the response time. In this research, a FPGA-based low-latency communication module is proposed, which greatly improves the processing efficiency of multi-channel, large data capacity point-to-point communication, in order to optimise the response time. The architecture of the RPS and the calculation method of the response time are firstly introduced, followed by analysing the factors affecting the response time. Furthermore, the point-to-point communication is optimised by FPGA-based system which is verified by experiment contributing to optimising the response time of of showdown a nuclear reactor and applied in VVER further.

2 Response Time of Showdown a Nuclear Reactor 2.1 Architecture of Reactor Protection System

Fig. 1. Illustration of a typical RPS

A typical digital reactor protection system is shown in Fig. 1, which is designed with four redundancy channels. In this case, every channel works independently of other channels. The working condition signal of the reactor is collected through the analog input board, followed by the signal input into the CPU processing unit to participate in the voting logic processing of this channel after threshold comparison. The result of

748

L. Le et al.

threshold comparison is transmitted to other channels via point to point communication to participate in the voting logic processing of other channels. The judgment result of the receiving threshold of each protection channel is output to the coil of the circuit breaker of the channel through the 2oo4 voting logic [5]. 2.2 Signal Process of RPS The trip signal flow of the emergency shutdown in RPS is shown in Fig. 2. Sensor signals are collected by analog input board (AI) and sent to CPU for processing, followed by the result output by the local CPU transmitting to the remoted CPU by point to point communication module achieved by the communication module [6]. After that, the data processed by remoted CPU is sent to digital output board (DO), followed the digital signal output by DO.

Fig. 2. Diagram of trip signal flow of the RPS

a) Calculation of the Response Time

TPPC

RPC-CH.II

TRPCo

TRPCi

RPC-CH.I

TRT Trio Coil

Fig. 3. Calculation of response time of shutdown of a nuclear reactor

As illustrated above, three factors should be considered for the calculation of the response time of shutdown of a nuclear reactor, shown in Fig. 3, which are the input

Research on a Low-Latency Communication Module for the RPS

749

time of the RPS (TRPCi ), the communication time of point to point communication (TPPC ), and the output time of RPS (TRPCo ). The equation is listed as below. TRT = TRPCi + TPPC + TRPCo

(1)

b) Analysis of the Response Time of the FirmSys In the FirmSys, the input time and output time of the RPS, mainly related to external devices such as conditioning device, relay and coil, is difficult to optimise. In this case, the point to point is firstly considered to improve the response time in the system, and is also mainly stated in this paper. The FirmSys, the first DCS with safety class 1E produced by China with proprietary intellectual property, is taken as an example to describe how the response time to be calculated. In the FirmSys, the point to point communication is achieved by Main Process Units (MPU) and Network Communication Units (NCU), which is shown in Fig. 4. In this case, the calculation equation of the response time could be update as below where the process time of MPU and NCU and transmission time of the network are considered. TRT = TRPCi + 1.7TMPU1 + 2T NCU1 + TTrans + 1.7T MPU2 + 2T NCU2 + TRPCo (2)

Fig. 4. Calculation of response time of shutdown of a nuclear reactor

In specific project where FirmSys is applied, the operating cycle of MPU, NCU are set to 15 ms, 8 ms respectively. In general cases, the cycle of TRPCi and TRPCo to 32 and the RTSNR could be calculated, which is, TRT = TRPCi + 1.7TMPU1 + 2T NCU1 + TTrans + 1.7T MPU2 + 2T NCU2 + TRPCo = 32 + 1.7 × 15 + 2 × 8 + 1.7 × 15 + 2 × 8 + 32 = 149(ms) (3) c) Requirement of Optimising the Response Time of the FirmSys It can be seen from the above calculation that the cycle of MPU and HNU greatly affects the response time of Shutdown of a Nuclear Reactor. With the increase in the scale of nuclear I&C system, especially after the application of the Russian VVER

750

L. Le et al.

reactor, the number of data processed by MPU has greatly increased, which lead to the rising embedded-based MPU. Due to the increase of the MPU cycle, the response time also increases, which could lead to not meeting the requirement of the system. In this case, steps should be taken to reduce the operating cycle of the MPU or NCU, in order to improve the response time. Due to algorithm implemented in MPU, which is not suitable to be modified, the NCU is selected for redesign.

3 A FPGA-Based Low-Latency Communication Module 3.1 Analysis of Current Communication Modules (NCU) Based on FirmSys, NCU is designed to provide the MPU to send and receive network data, which is shown in Fig. 5. When sending, the MPU places the data to be sent in the DPRAM, followed by the NCU reading the information in the DPRAM. Data validity verification is performed, and the verified data is sent to other nodes through the NCU. When receiving, the data validity check is performed, after the NCU receives the information. As check passed, the data is stored in the DPRAM, before reading by the MPU.

Fig. 5. Data processing of NCU

Research on a Low-Latency Communication Module for the RPS

751

Based on the characteristics of the microprocessor, the functions of the NCU operate periodically. The tasks executed in the execution cycle of each microprocessor shown in Fig. 6 where each subtask is executed sequentially. In this case, the minimum execution period of the network communication module is the sum of the periods of each subtask that is 8 ms currently.

Fig. 6. Flowchart in the microprocessor-based system

Access to DPRAM is the second major factor affecting NCU based on microprocessor architecture. When the NCU receives data from other stations, it stores the data received by the NCU in the designated memory area, and check the validity of the data. After the check is passed, the data would be put in the corresponding memory, followed by data written to the DPRAM. When performing data sending tasks, the data written to the top area of DPRAM from the MPU, followed data validity verification performed. After the verification is passed, the data would be put into the designated network sending data area. When the sending task is to be executed, the data would be sent. Due to the characteristics of the microprocessor, the verification could not be executed, when data being receive.

752

L. Le et al.

3.2 A FPGA-Based Low-Latency Communication Module On the basis of the original microprocessor-based solution, the FPGA-based communication module is designed, which contributes to improvement of the processing cycle of point-to-point communication. Due to the parallel processing capability of FPGA, each subtask in Fig. 6 can be executed simultaneously in FPGA. The processing diagram of the new designed communication module based on FPGA architecture is shown in Fig. 7. Read Cache

Send Data

Redundancy

Initial

Receive Data

Error

Write Cache

Self-monitor

Fig. 7. Flowchart in the FPGA-based system

A FPGA-based communication module is implemented, shown in Fig. 8. When the MPU sends data to other nodes, the data is first written to DPRAM and sent to other nodes via PHY after MAC processing immediately. When receiving the data, the received data via PHY is stored in DPRAM for the MPU reading. Due to the parallel processing mechanism of FPGA, all registers could be processed synchronously, which means all subtasks could be processed at the same time [7]. According to the characteristics of FPGA, the logic judgment of related registers could be completed within a single FPGA clock cycle. No concept of cycle exists in FPGA-based communication module and all data is updated in real time, which means the overall response time of the point to point communication depends on the operation cycle of the MPU. The DPRAM interacted with the MPU is shown in Fig. 9. When the FPGA reads the data in the DPRAM, it also performs data buffering, data splicing, data verification, and data state analysis. When reading the data from the MPU, the data is directly obtained from DPRAM to the FPGA internal register, and the obtained data is read into the relevant status register and data validity check module at the same time. It is equivalent to completing three subtasks achieved by microprocessor-based system, which extremely increases the efficiency of the point to point commutation.

Research on a Low-Latency Communication Module for the RPS

753

Fig. 8. Block diagram of a FPGA-based communication module

Data Cache (DPRAM)

Data Validity Checking

Data for MAC

Data Width Conversion

Data Parse

Fig. 9. Processing in parallel for accessing to memory

4 Verification and Analysis 4.1 Verification A validation model is establish based on FirmSys, which is shown in Fig. 10. The interface of the model is no difference between microprocessor-based and FPGA-based communication module, which allows the news designed product be validated in the old system [8]. The operational condition of FPGAs and data in FPGA could be monitored by logic analyser. 4.2 Analysis of Result For measure the cycle time of a FPGA-Based NCU, test points are applied in every state of the main FSM, which could be monitored by SignalTap, an on-chip logic analyser produced by Altera. A group of register value monitored by SignalTap is shown in Fig. 11.

754

L. Le et al.

PC-Based Monitor (Engineer Station)

MPU

MPU

FPGA-based NCU

FPGA-based NCU

Logic Analyzer (SignalTap)

Oscilloscope

Fig. 10. Verification platform

Fig. 11. Result observed from SignalTap

After 100 times repeated experiment, the time of data transmit from sender to receiver lies between 750 us and 850 us, which is shown in Fig. 12. In this case, the processing time of point to point communication achieve by FPGA-based communication module could be considered as 0.8 ms, and used for further calculation. 4.3 Analysis of the Response Time After the FPGA-based communication module applied, the Response Time could be calculated again, which is, TRT = TRPCi + 1.7TMPU1 + TPPC + 1.7T MPU2 + 2T NCU2 + TRPCo = 32 + 1.7 × 15 + 0.8 + 1.7 × 15 + 32 = 117.8(ms)

(4)

As a result, the response time of shutdown of the nuclear reactor by 31.2 ms based on FirmSys.

Research on a Low-Latency Communication Module for the RPS

755

Fig. 12. Verification result

5 Conclusion A new solution to optimizing the response time of shutdown of the nuclear reactor is introduced, where a low-latency communication module implemented by FPGA technologies in this paper. Analysis of the response time of shutdown in current systems is delivered in this paper, followed by the design scheme of FPGA-based systems. In addition, the experimental result shows that communications system based on FPGA optimizing the response time of shutdown of a nuclear reactor is proved which enhances advanced technologies applied in reactor protect systems. In the future research, the use of FGPA to achieve other equipment and functions of the safety I&C system is the research objective.

References 1. Yang, Q.: Status and development tactics for key technology of digitized instrument and control system for nuclear power plant. Nucl. Power Eng. 23(2), 4 (2002) 2. Guidance on Digital Computer Real-Time Performance, 0-7381-6710-X 3. Computer-based important safety system software for nuclear power plants, 0-7381-6710-X 4. Zheng, W.-Z., Li, X.-J., Zhu, Y.-M.: Response time analysis of nuclear power plant shutdown of digital reactor protection system. Autom. Panorama 8, 3 (2010) 5. Wang, J.-N., Zhou, A.-P., Qie, Y.-X., Zhi, Y.: Analysis and testing of emergency shutdown response time of reactor protection system in nuclear power plants. Nucl. Power Eng. 33(2), 6 (2012) 6. Li, L., Ma, Z.-Y., Zhou, F.: FPGA-based technologies improving the efficiency of point to point communications in safety-related DCSs. In: 25th International Conference on Nuclear Engineering, Shanghai. ASME (2017)

756

L. Le et al.

7. Li, L., Zhang, C.-L., Cheng, K., Sun, X.-X., Yang, W.-Y.: Research on a certainty data link layer protocol for the communication network in nuclear safety DCS. In: Xu, Y., Sun, Y., Liu, Y., Wang, Y., Gu, P., Liu, Z. (eds.) Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems. SICPNPP 2019. Lecture Notes in Electrical Engineering, vol. 595. Springer, Singapore (2020)https://doi.org/10.1007/978-981-15-1876-8 8. Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems (2009)

Research About Software Verification and Validation of Control and Protection System for Chinese Heavy-Duty Gas Turbine Peng-Fei Gu1 , Zhe-Ming Liu1,2 , He-Ming Bao1(B) , Tao Bai1 , and Xue-Fei Zhai1 1 China United Gas Turbine Technology Co., Ltd., Beijing, China 2 China Automation Industry Chain Alliance (Beijing) Technology Industry Development Co.,

Ltd., Beijing, China

Abstract. With the development of digital and intelligent technology in industrial control, the safety and reliability of control and protection system is becoming increasingly prominent. As the Pearl of modern industry, heavy duty gas turbine is very important. The ongoing independent R&D work of UGTC (China United Gas Turbine Technology Co., Ltd.) has been highly concerned by the industry. As the nerve center system of gas turbine, whether the control and protection system can complete the expected function safely and reliably is also an important part of the independent R&D work of heavy-duty gas turbine. In this paper, combined with the independent research and development experience of nuclear power control and protection system in China, based on the functional safety certification requirements of IEC 61508 standard, the technical scheme of heavy-duty gas turbine control and protection system software V&V is discussed, and the relevant technical key points are put forward, which has a certain guiding significance for the design and commissioning of control and protection system of heavy-duty gas turbine. Keywords: Heavy-duty gas turbine · Control and protection system · Software verification and validation

1 Introduction Since the invention of BBC company in 1939, gas turbine has been widely used in power generation, pipeline power, ship power, locomotive power and other fields after more than 60 years of development. It is an important high-end technology equipment integrated with many technologies, and plays an important role in national defense, energy, transportation and other industrial sectors 1. With the emergence of new technology of heavy-duty gas turbine and the improvement of market demand, its control system has gone through three stages: mechanical hydraulic control, analog electronic control and digital electronic control. Today, it has developed into a highly complex, distributed, multi redundant, nonlinear and multifunctional digital electronic control system, become a set of modern optical, mechanical, electrical, information and control technology as one of the high-tech products 1. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 757–764, 2021. https://doi.org/10.1007/978-981-16-3456-7_76

758

P.-F. Gu et al.

The independent R&D of heavy-duty gas turbine in China has entered a critical stage. As the nerve center system of gas turbine, whether the control and protection system can complete the expected function safely and reliably is one of the key factors for the success of heavy-duty gas turbine research and development. Combined with the successful experience of independent research and development of control and protection system in China’s nuclear power industry and the requirements of functional safety certification based on IEC 61508 standard, this paper discusses the technical scheme of software V&V (Verification and Validation, V&V) of control and protection system for heavy-duty gas turbine and puts forward the key technical points in the process of implementing software V&V, and provides technical guidance for the detailed design and system commissioning of the control and protection system of the subsequent heavy-duty gas turbine.

2 Difficulties in Control and Protection System of Heavy Duty Gas Turbine Heavy duty gas turbine has the characteristics of complex process flow, fast dynamic process and strong nonlinear coupling. There are many technical difficulties in the design of its control and protection system, such as multiple control objectives, high target requirements, high control accuracy and large control scale. With the deepening application of digital, intelligent and other new technologies, the safety and reliability of its control and protection system has become increasingly prominent. In order to reduce the accident risk caused by the failure of control and protection system, the gas turbine protection system must meet the functional safety requirements of IEC 61508 SIL3. Siemens gas turbine protection system adopts AS620F (s5-95f/h) fault safety subsystem, France Alstom applies CE3500 triple redundant subsystem of ALSPA system for gas turbine control and protection, American GM also introduces Mark VI control and protection system, and Japan Mitsubishi Heavy Industry (MHI) uses DIASYS system for gas turbine control and protection in August 2013, all of which comply with IEC 61508 Sil3 functional safety requirements and certification [3]. In recent decades, domestic industrial control system products have also developed rapidly. The industrial control system independently developed by Chinese companies has achieved good application performance in coal, chemical and electric power industries, but it is very difficult to pass IEC 61508 SIL3 functional safety certification. In China’s nuclear power industry, due to the particularity of nuclear power safety, the FirmSys platform of nuclear power station protection system of CGN not only carries out software V&V according to IEEE 1012 integrity level 4, but also does the related work of IEC 61508 sil3 functional safety certification, and obtains some experience, Firmsys system has been well applied in Yangjiang 5, 6 units and Tianwan 5, 6 units. The NUPAC system independently developed by SPIC has also carried out relevant work in accordance with IEEE 1012 integrity level 4 and IEC 61508 SIL3 functional safety certification, and will also be applied in the CAP1400 demonstration project in Shidao, Shandong Province.

Research About Software Verification and Validation of Control and Protection System

759

In the above design and verification process, how to effectively implement software V&V is one of the key points and technical difficulties. Therefore, in the process of independent R&D of heavy-duty gas turbine control and protection system, it is very important to plan the software V&V scheme of control and protection system according to the requirements of regulations and standards.

3 Discussion on Key Points of Software V&V Scheme Both the SIL level of IEC 61508 and the integrity level of IEEE 1012 are risk-based classification schemes. According to the severity of the consequences of errors in function or system characteristics and the probability of these consequences, the SIL or integrity level of the system and software is generally divided into four levels, among which level 1 is the lowest and level 4 is the highest. Software V&V process includes verification process and validation process. The objective data provided by the verification process is used to prove whether the product meets the requirements of all activities in each stage, whether it meets the standards and specifications, and whether it successfully completes all activities and meets the conditions for starting subsequent activities. Confirm the objective evidence provided by the process to prove whether the product meets the specified system requirements at the end of each phase and finally meets the expectation 4. Based on the experience of nuclear power control and protection system software V&V engineering and combined with the standard requirements, the key points in the software V&V practice are as follows: 3.1 The Organizational Model of Maintaining Relative Independence In the organizational model composed of design R&D team, manufacturing team, V&V team and expert team, the independence of each team should be maintained, with the emphasis on the independence of design R&D team and software V&V team. Independence is mainly reflected in three aspects: technical independence, management independence and financial independence: 1) technical independence Technology independence requires that the V&V team members should not include the R&D team members, and the V&V team should form an independent and systematic test plan. Technical independence is mainly through the independence and diversity of personnel, methods and tools to identify those subtle errors that are easy to be ignored by the development team. 2) managerial independence Independent management, on the one hand, means that the responsibility of the V&V team belongs to an independent management department. On the other hand, it means that the V&V team can independently choose the software and system for analysis and testing, select the technology used for test verification, customize the

760

P.-F. Gu et al.

test and V&V work plan, and submit all the software V&V test results and abnormal information to the management department. 3) financial independence Financial independence means that the budget of V&V work is controlled by organizations other than R&D to prevent the influence of misappropriation of funds or adverse financial pressure. As shown in Table 1, according to the above three forms of independence, V&V organization can be divided into five types: typical, modified, integrated, internal and embedded. Table 1. Forms of V&V V&V Form

Technical Management Financial

Classical

I

Modified

I

i

I

Integrated

i

I

I

Internal

i

i

i

Embedded e

e

e

I

I

I: Rigorous independence; i: Conditional independence; e: Minimal independence

1) Classical V&V The classical V&V organization form is usually in charge of an organization completely independent of the R&D team in terms of technology, management and finance. In the classical V&V, on the one hand, the V&V team should ensure the independence of the R&D team, on the other hand, it should establish a close working relationship with the development team, so as to ensure that the conclusions and suggestions of software V&V can be quickly integrated into the software development work. Generally, the classical V&V must be used for software verification of software integrity level 4. 2) Modified V&V The modified V&V organization form is suitable for large-scale program verification, and its V&V team and R&D team belong to the same management organization. Under the same management structure, the efficiency of connection between V&V and R&D work is improved, but the independence of management is reduced. At the same time, the technical and financial independence of V&V is retained because the result report of V&V is submitted to the superior management. Generally, the modified V&V form is suitable for software verification of software integrity level 3. 3) Integrated V&V The integrated V&V organization form is mainly used for fast feedback of V&V results. This form of financial and management is independent of the R&D team,

Research About Software Verification and Validation of Control and Protection System

761

which can maximize the independence of V&V. In this form, the V&V team can work side by side with the R&D team, review the unpublished R&D samples in time, and provide V&V feedback in the process of R&D team’s own inspection and review. 4) Internal V&V The internal V&V organization form should not use the same personnel in the R&D team when the R&D team uses its internal members as the V&V team. The independence of technology, management and finance has been weakened. The main reason for the weakening of technical independence is that the internal V&V in the testing process is easy to ignore the mistakes in the development process because of adopting the same assumptions and development environment. The reason for the weakening of management independence is that the R&D team and the V&V team are under the same management organization, so the negative pressure of the software R&D team is likely to have a negative impact on the work of the V&V team. 5) Embedded V&V Embedded V&V organization, V&V work using internal members of R&D team, should avoid V&V team members directly participating in R&D work. It focuses on the consistency of V&V process and development process. It is helpful to provide feedback of V&V results in the process of product development, but it will reduce the independence of V&V team in technology, management and finance. 3.2 Identify Software V&V Processes and Tasks The “V-diagram” (see Fig. 1) model based on IEC 61508 includes the identification of V&V technology content in each stage and the determination of various technical conditions. E/E/PE Safety system requirements specificaƟon

SoŌware security requirements specificaƟon

E/E/PE system architecture

SoŌware architecture

Validated soŌware

V&V test

IntegraƟon tesƟng (components, subsystems and programmable electronics)

SoŌware system design

integraƟon tesƟng (module)

Module design

Module test

Code

Fig. 1. Software V&V model

As shown in Fig. 1, software V&V work is carried out in phases according to the control and protection system development life cycle process defined by the project.

762

P.-F. Gu et al.

Software architecture design V&V mainly validates the software architecture design according to the software security requirements, and makes the system integration test plan; Software system design V&V mainly verifies the software system design according to the software architecture design, and formulates the software integration test plan; Software module design V&V focuses on module design verification according to software system design, and makes module test plan; Software coding V&V mainly evaluates the conformity of software source code and related design documents through static or dynamic testing. After that, software integration test, system integration test and system validation were carried out in turn. The parallel development of V&V work and design R&D work enables the V&V team to intervene in each stage of the system development life cycle process as soon as possible, find out the errors, defects and omissions of requirements and design in time, modify the requirements and design scheme as soon as possible, and avoid a lot of rework in the later stage, so as to greatly save manpower cost and guarantee the progress. 3.3 Selection of Test Methods and Verification Tools As far as possible, the R&D team and V&V testing team should choose independent verification tools. Limited by the support environment and the cost of independent tools, there is a situation of sharing tools. For the shared testing tools, the software V&V team needs to confirm their reliability and scope of application, so as to ensure that the shared tools do not contain errors that may cover up the errors in the analyzed and tested software. Therefore, V&V team should pay attention to the following points in the selection of test verification tools: 1) Modular development method should be adopted as far as possible to reduce the use of verification tools; 2) Independent research and development of relevant verification tools to minimize the procurement of foreign tools; 3) Purchase necessary foreign verified or approved tools in other industries. 3.4 Problem Handling Process The work between R&D team and V&V team is an interactive workflow, so it needs a complete process of problem handling, document modification and submission. As shown in Fig. 2 software V&V work problem processing flow chart. Generally, design documents (first edition) are prepared by R&D team and submitted to V&V team. For the problems found in the verification, the V&V team will put forward the problem sheet to the R&D team for confirmation. If the R&D team accepts the questionnaire and modifies it, the V&V team will conduct regression verification to confirm that the modification is correct and then proceed to the follow-up process. However, in the case that the R&D team does not accept the questionnaire, the V&V team and the R&D team negotiate to complete the problem confirmation. The treatment of controversial issues

Research About Software Verification and Validation of Control and Protection System

763

R&D Team EdiƟon

Design Documents (First EdiƟon) Deliver

V&V Team V&V

QuesƟon Documents Deliver

R&D Team

Deliver

Deliver

V&V

R&D Accept

Expert opinion Documents

QuesƟon Documents

R&D Accept

R&D Team Confirm

R&D Unaccept

Fallback quesƟon Document

QuesƟon reply Document

Deliver

Deliver

V&V Team

V&V Team

Review

Confirm

ConsultaƟon

V&V Team Confirm

V&V Accept

QuesƟon Documents

Not up to release standard

Relesse

inconsistent

Expert team

QuesƟon Document

Design Documents

to void

(Release EdiƟon)

Review

Approval QuesƟon Document

Expert team Review

Approval

Fallback quesƟon Document

Release

Manufacturing team

Fig. 2. Software V&V work flow chart

will be decided by the expert team, and attention should be paid to the classification of problem levels at the beginning. Problems of different levels are generally determined according to the degree of harm. The classification of problem levels has very important practical significance for FMEA analysis at the follow-up system level.

764

P.-F. Gu et al.

4 Conclusion and Prospect The independent R&D of China’s reburning gas turbine has entered a critical stage. With the gradual determination of process system, the demand of control and protection system will be determined. With the further deepening of the design, installation and debugging related work will also enter a critical stage. As the nerve center system of gas turbine, whether the control and protection system can complete the expected function safely and reliably is also an important part of the independent R&D work of heavy-duty gas turbine. Referring to the successful experience of independent research and development of control and protection system in China’s nuclear power industry, the technical scheme of heavy-duty gas turbine control and protection system software V&V is implemented based on the functional safety certification requirements of IEC 61508 standard, which has a good guiding significance for the detailed design and system debugging of the follow-up heavy-duty gas turbine control and protection system.

References 1. Saite, W.: Review on the research of application of gas turbine. Light Ind. Sci. Technol. 35(12), 52–54 (2019) 2. Shangming, L., Ai, H., Hongde, J.: Development trend of heavy-duty gas turbine control technology. Therm. Turb. 42(04), 217–224 (2013) 3. Feiyang, H.: Development of heavy duty gas turbine control technology. Sci. Technol. Inf. 15(10), 43–44 (2017) 4. Zekan, C., Shuaike, G.: Verification and validation of non-1E DCS software in digital nuclear power plant. Tech. Autom. Appl. 39(10), 61–66 (2020)

Author Index

B Bai, Le-Yuan, 610 Bai, Tao, 157, 411, 436, 444, 757 Bai, Xu-Tao, 665, 696 Bao, He-Ming, 757 C Chen, Huan-Lin, 55 Chen, Hua-Ping, 490 Chen, Qi, 273, 301 Chen, Ri-Gang, 429 Chen, Xian-Bo, 97 Chen, Xiu-Sen, 332 Chen, Yang, 216 Chen, Zheng-Tao, 681 Chen, Zhi, 452 Cheng, Bo, 649 Cheng, Jin-Xing, 14, 24, 97 Chun, Zeng-Jun, 316

G Gao, Chao, 746 Gao, Nan, 226 Gao, Yuan, 123 Gu, Kai, 657 Gu, Peng-Fei, 688, 757 Gu, Shan-Shan, 573 Guo, Chao, 71 Guo, Zhi-Wu, 518, 527

D Dai, Jun-An, 452 Dai, Wei-Qi, 341 Dang, Li-Jun, 247 Deng, Peng, 674 Deng, Xiao-Fei, 1 Deng, Zhi-Guang, 186, 199, 273, 292, 301 Du, Xin, 134

H Han, Wen-Xing, 282 Hao, Zhao-Lei, 8 He, Peng, 186 He, Xian-jian, 216 He, Xian-Jian, 239 Heming, Bao, 688 Hou, Rong-Bin, 260 Huang, Hua, 8 Huang, Huan, 536 Huang, Jun, 247 Huang, Qing-Huai, 226 Huang, Wei-jie, 370 Huang, Wei-Jie, 674 Huang, Xiao-Jin, 71 Huang, Xin- Nian, 332 Huang, Xin-Nian, 106, 706

F Fan, Hai-Ying, 706 Fan, Jin, 370 Fang, Hua-Song, 665 Fu, Tao, 164

J Jia, Ming, 599, 641 Jiang, Hui, 536 Jiang, Lei, 114, 148 Jiang, Wei, 260, 273, 282

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2021 Y. Xu et al. (Eds.): SICPNPP 2020, LNEE 779, pp. 765–767, 2021. https://doi.org/10.1007/978-981-16-3456-7

766

Author Index

Jiao, Wen, 354 Jin, Gang, 716

Ma, Yi-Wei, 123 Meng, Jia, 1

L Lan, Lin, 260, 282 Lei, Wei-Jian, 341 Li, Bao-Cheng, 674 Li, Fang, 582 Li, Fa-Qiang, 452 Li, Gong-Jie, 164 Li, Heng, 114, 134, 332, 573, 610, 616, 706 Li, Jian-Gang, 483 Li, Jiang-Hai, 71 Li, Jing, 386, 563 Li, Lang, 97 Li, Le, 746 Li, Lei, 681 Li, Liang, 370, 674 Li, Shuang, 490 Li, Tian-You, 386, 563 Li, Xiao-Feng, 114, 706 Li, Xi-Yun, 429 Li, Yan, 55 Li, Yong, 260 Li, You-Ran, 589 Li, Yu-Tong, 226 Li, Zhi-Jun, 674 Liang, Hui-Hui, 380 Liang, Zhong-Qi, 483 Liao, Sheng-Yong, 64 Liu, Ai-Fen, 1 Liu, Guan-Ron, 226 Liu, Jian, 490 Liu, Lu, 616 Liu, Ming-ming, 216 Liu, Ming-Ming, 226, 239, 292, 724 Liu, Ming-Xing, 260, 282, 452 Liu, Wei, 157, 380 Liu, Xiao-Yu, 106, 332 Liu, Yi-Ming, 470 Liu, Zhe-Ming, 757 Liu, Zhi-Yao, 623 Liu, Zhi-Yin, 114, 616 Long, Min, 582 Lu, Chao, 738 Luan, Zhen-Hua, 490, 649 Luo, Xiao-Jun, 239 Lv, Dong-Bao, 429 Lv, Xin, 199 Lv, Zhi-Hong, 657

P Peng, Hao, 273, 301 Peng, Hua-Qing, 134, 386, 411, 573, 599, 649, 657, 706 Ping, Jia-Lin, 536, 738

M Ma, Jian-Xin, 746 Ma, Jing, 341 Ma, Quan, 260, 282, 292

Q Qian, Xiao-Ming, 8, 177 Qiao, Jian-Wang, 649 Qing, Yue, 186 Qiu, Lei-Lei, 724 Qiu, Rui, 14 S Shang, Jing, 386, 563 She, Jing-Ke, 505 Shen, Zhen-Yu, 386 Shi, Ji, 157, 411, 463 Shu, Guo-Gang, 688 Si, Wen, 71 Su, De-Song, 599, 633, 641 Sun, Ao-Di, 84, 724 Sun, Bao-Cheng, 696 Sun, Dan-Dan, 665, 696 Sun, Fei-Yang, 681 Sun, Na, 400 Sun, Pei-Wei, 354 T Tang, Jian-Zhong, 380, 444 Tian, Li-Chuang, 582 Tian, Ya-Jie, 177, 386, 536, 681 W Wang, Bi-Yao, 490 Wang, Chun-Bing, 738 Wang, Chun-Yi, 30 Wang, Dong-Wei, 452 Wang, Hao, 45 Wang, Hui, 148 Wang, Jia-Ni, 505 Wang, Lian-Chun, 483 Wang, Qing-Bo, 14, 24, 97 Wang, Sheng-Chao, 436, 444, 463 Wang, Xue-Mei, 199 Wang, Xu-Feng, 610 Wei, Sun, 551 Wei, Wei, 1 Wei, Xin-Yu, 84, 354, 724 Wen, Jing, 239 Wen, Wei-Wei, 14, 24, 97 Wu, Qi, 716

Author Index Wu, Qian, 186, 199, 400, 470 Wu, Xiao, 452 Wu, Yi-Qian, 649 Wu, You-Peng, 14, 24, 97 X Xi, Wang, 157 Xiang, Mei-Qiong, 186 Xiao, Zhou, 114, 134, 177, 616 Xie, Yong-Quan, 623 Xu, Biao, 216 Xu, Dan, 8, 177 Xu, Jian-Quan, 657 Xu, Si-Jie, 199 Xu, Tao, 186 Xu, Xiao-Mei, 633 Xu, Yang, 30 Xu, Zhi-Hui, 599, 641 Xue, Shi-Yu, 505 Y Yan, Zhen-Yu, 316 Yang, Fei, 260, 282 Yang, Jing-Yuan, 716 Yang, Su-Yuan, 505 Yang, Xiao-Chen, 316 Yang, Xing-Can, 633 Yang, Xin-Sheng, 411 Yang, Zhen, 536 Yang, Zheng-Hui, 45 Yao, Chang-Wen, 452 Ye, Qi, 247 Ye, Wang-Ping, 380, 420, 436, 444, 463 Ying, Cao, 688 Yu, Ai, 14, 24, 97 Yuan, Wei, 97

767 Z Zeng, Bin, 573, 610 Zeng, Li, 386 Zhai, Xue-Fei, 688, 757 Zhang, Chao, 463 Zhang, Dong, 64 Zhang, Jie-Mei, 599, 641 Zhang, Ji-Wei, 490 Zhang, Kai, 30 Zhang, Li-Ming, 134, 164, 551, 563, 573, 649, 738 Zhang, Li-Qin, 716 Zhang, Long-Qiang, 527 Zhang, Qian, 490 Zhang, Qing, 239 Zhang, Ru, 724 Zhang, Rui, 386 Zhang, Rui-Feng, 483 Zhang, Rui-Ping, 400, 470 Zhang, Xian-Shan, 354 Zhang, Xiao-Chen, 665, 696 Zhang, Xu, 273, 292, 301 Zhang, Xue-Gang, 599, 633, 641 Zhang, Yi, 45 Zhang, Yu, 273 Zhang, Yue, 14, 370 Zhang, Zhi-Hui, 746 Zhang-yu,, 657 Zhou, Can, 623, 738 Zhou, Jian-Qiu, 55 Zhou, Liang, 518 Zhou, Mao, 226 Zhu, Bi-Wei, 186, 199 Zhu, Jia-Liang, 199 Zhu, Lu, 518 Zhu, Wen-Kai, 14, 24 Zou, Jie, 649 Zou, Lai-Long, 316